id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 28202 FieldListFilter.get_queryset() crashes if the queryset filtering raises ValueError CM Lubinski Paulo "Malicious GET parameter can cause Django to crash in the admin screens. Reproduction recipe: 0. Setup Django 1.11.1, Postgres (I'm not sure the db matters) using Python 3.5 (though this may apply to other versions). 1. Create an admin account & login. 2. Hit `/admin/auth/user/?groups__id__exact=sleep(10)`. See the error Result will be similar to: {{{ dev-api_1 | ERROR 2017-05-12 22:29:34,469 django.request Internal Server Error: /admin/auth/user/ dev-api_1 | Traceback (most recent call last): dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/exception.py"", line 41, in inner dev-api_1 | response = get_response(request) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/base.py"", line 187, in _get_response dev-api_1 | response = self.process_exception_by_middleware(e, request) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/base.py"", line 185, in _get_response dev-api_1 | response = wrapped_callback(request, *callback_args, **callback_kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/options.py"", line 551, in wrapper dev-api_1 | return self.admin_site.admin_view(view)(*args, **kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py"", line 149, in _wrapped_view dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/views/decorators/cache.py"", line 57, in _wrapped_view_func dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/sites.py"", line 224, in inner dev-api_1 | return view(request, *args, **kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py"", line 67, in _wrapper dev-api_1 | return bound_func(*args, **kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py"", line 149, in _wrapped_view dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py"", line 63, in bound_func dev-api_1 | return func.__get__(self, type(self))(*args2, **kwargs2) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/options.py"", line 1542, in changelist_view dev-api_1 | self.list_max_show_all, self.list_editable, self, dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/views/main.py"", line 78, in __init__ dev-api_1 | self.queryset = self.get_queryset(request) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/views/main.py"", line 322, in get_queryset dev-api_1 | new_qs = filter_spec.queryset(request, qs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/filters.py"", line 137, in queryset dev-api_1 | return queryset.filter(**self.used_parameters) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/query.py"", line 782, in filter dev-api_1 | return self._filter_or_exclude(False, *args, **kwargs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/query.py"", line 800, in _filter_or_exclude dev-api_1 | clone.query.add_q(Q(*args, **kwargs)) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py"", line 1261, in add_q dev-api_1 | clause, _ = self._add_q(q_object, self.used_aliases) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py"", line 1287, in _add_q dev-api_1 | allow_joins=allow_joins, split_subq=split_subq, dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py"", line 1221, in build_filter dev-api_1 | condition = self.build_lookup(lookups, col, value) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py"", line 1115, in build_lookup dev-api_1 | return final_lookup(lhs, rhs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/lookups.py"", line 24, in __init__ dev-api_1 | self.rhs = self.get_prep_lookup() dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/lookups.py"", line 74, in get_prep_lookup dev-api_1 | return self.lhs.output_field.get_prep_value(self.rhs) dev-api_1 | File ""/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/fields/__init__.py"", line 962, in get_prep_value dev-api_1 | return int(value) dev-api_1 | ValueError: invalid literal for int() with base 10: 'sleep(10)' }}}" Bug closed contrib.admin 1.11 Normal fixed Accepted 1 0 0 0 0 0