Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#29206 closed Bug (fixed)

ValidationError when a reset password link contains a bad UIDB64 UUID

Reported by: Mattia Procopio Owned by: Mattia Procopio
Component: contrib.auth Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tim Graham)

Our user model pk is a UUID, while making some tests trying to reset the password, we met a 500 because the encoded UUID is not decoded properly. Here's the URL:
http://127.0.0.1:8000/reset/MTgiYWRiYmItZWNhYi00OTBiLThiMTMtYzg0MDUxMWRmOTVl/4u3-853c9fe868a403fa439f/

and this is the traceback:

ValueError: invalid literal for int() with base 16: '18"adbbbecab490b8b13c840511df95e'
  File "django/db/models/fields/__init__.py", line 2363, in to_python
    return uuid.UUID(value)
  File "python3.6/uuid.py", line 141, in __init__
    int = int_(hex, 16)

ValidationError: ['\'18"adbbb-ecab-490b-8b13-c840511df95e\' is not a valid UUID.']
  File "django/core/handlers/exception.py", line 35, in inner
    response = get_response(request)
  File "django/core/handlers/base.py", line 128, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "django/core/handlers/base.py", line 126, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "django/views/decorators/debug.py", line 76, in sensitive_post_parameters_wrapper
    return view(request, *args, **kwargs)
  File "django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "django/contrib/auth/views.py", line 329, in password_reset_confirm
    user = UserModel._default_manager.get(pk=uid)
  File "django/db/models/manager.py", line 82, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "django/db/models/query.py", line 397, in get
    num = len(clone)
  File "django/db/models/query.py", line 254, in __len__
    self._fetch_all()
  File "django/db/models/query.py", line 1179, in _fetch_all
    self._result_cache = list(self._iterable_class(self))
  File "django/db/models/query.py", line 53, in __iter__
    results = compiler.execute_sql(chunked_fetch=self.chunked_fetch, chunk_size=self.chunk_size)
  File "django/db/models/sql/compiler.py", line 1051, in execute_sql
    sql, params = self.as_sql()
  File "django/db/models/sql/compiler.py", line 459, in as_sql
    where, w_params = self.compile(self.where) if self.where is not None else ("", [])
  File "django/db/models/sql/compiler.py", line 391, in compile
    sql, params = node.as_sql(self, self.connection)
  File "django/db/models/sql/where.py", line 80, in as_sql
    sql, params = compiler.compile(child)
  File "django/db/models/sql/compiler.py", line 391, in compile
    sql, params = node.as_sql(self, self.connection)
  File "django/db/models/lookups.py", line 161, in as_sql
    rhs_sql, rhs_params = self.process_rhs(compiler, connection)
  File "django/db/models/lookups.py", line 260, in process_rhs
    return super().process_rhs(compiler, connection)
  File "django/db/models/lookups.py", line 93, in process_rhs
    return self.get_db_prep_lookup(value, connection)
  File "django/db/models/lookups.py", line 187, in get_db_prep_lookup
    [get_db_prep_value(value, connection, prepared=True)]
  File "django/db/models/fields/__init__.py", line 2354, in get_db_prep_value
    value = self.to_python(value)
  File "django/db/models/fields/__init__.py", line 2368, in to_python
    params={'value': value},

The error is raised when user = UserModel._default_manager.get(pk=uid) is executed, while I think a ValidationError is a proper exception I'm wondering if that couldn't be catched within that try/except. I feel is a bit weird getting a 500 if somebody tries to forge a URL for example.

Change History (10)

comment:1 Changed 2 years ago by Tim Graham

Component: Uncategorizedcontrib.auth
Description: modified (diff)
Summary: Validation Error and 500 when a reset password link contains a bad UIDB64 UUIDValidationError when a reset password link contains a bad UIDB64 UUID
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Yes, that shouldn't generate an exception.

comment:2 Changed 2 years ago by Mattia Procopio

Owner: changed from nobody to Mattia Procopio
Status: newassigned

comment:3 Changed 2 years ago by Mattia Procopio

Has patch: set
Last edited 2 years ago by Tim Graham (previous) (diff)

comment:4 Changed 2 years ago by Carlton Gibson

Patch needs improvement: set

Comments on PR. Please untick Patch needs improvement when resolved.

comment:5 Changed 2 years ago by Mattia Procopio

Patch needs improvement: unset

comment:6 Changed 2 years ago by Carlton Gibson

Patch needs improvement: set

comment:7 Changed 2 years ago by Mattia Procopio

Patch needs improvement: unset

comment:8 Changed 2 years ago by Carlton Gibson

Triage Stage: AcceptedReady for checkin

comment:9 Changed 2 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In aeb8c381:

Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a non-UUID where one is expected.

comment:10 Changed 2 years ago by Tim Graham <timograham@…>

In 72667bc:

[2.0.x] Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a non-UUID where one is expected.

Backport of aeb8c381789ad93866223f8bd07d09ae5e2edd9e from master

Note: See TracTickets for help on using tickets.
Back to Top