id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 29206 Validation Error and 500 when a reset password link contains a bad UIDB64 UUID Mattia Procopio nobody "Our user model pk is a UUID, while making some tests trying to reset the password, we met a 500 because the encoded UUID is not decoded properly. Here's the URL: http://127.0.0.1:8000/reset/MTgiYWRiYmItZWNhYi00OTBiLThiMTMtYzg0MDUxMWRmOTVl/4u3-853c9fe868a403fa439f/ and this is the traceback: {{{ ValueError: invalid literal for int() with base 16: '18""adbbbecab490b8b13c840511df95e' File ""django/db/models/fields/__init__.py"", line 2363, in to_python return uuid.UUID(value) File ""python3.6/uuid.py"", line 141, in __init__ int = int_(hex, 16) ValidationError: ['\'18""adbbb-ecab-490b-8b13-c840511df95e\' is not a valid UUID.'] File ""django/core/handlers/exception.py"", line 35, in inner response = get_response(request) File ""django/core/handlers/base.py"", line 128, in _get_response response = self.process_exception_by_middleware(e, request) File ""django/core/handlers/base.py"", line 126, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File ""django/views/decorators/debug.py"", line 76, in sensitive_post_parameters_wrapper return view(request, *args, **kwargs) File ""django/views/decorators/cache.py"", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File ""django/contrib/auth/views.py"", line 329, in password_reset_confirm user = UserModel._default_manager.get(pk=uid) File ""django/db/models/manager.py"", line 82, in manager_method return getattr(self.get_queryset(), name)(*args, **kwargs) File ""django/db/models/query.py"", line 397, in get num = len(clone) File ""django/db/models/query.py"", line 254, in __len__ self._fetch_all() File ""django/db/models/query.py"", line 1179, in _fetch_all self._result_cache = list(self._iterable_class(self)) File ""django/db/models/query.py"", line 53, in __iter__ results = compiler.execute_sql(chunked_fetch=self.chunked_fetch, chunk_size=self.chunk_size) File ""django/db/models/sql/compiler.py"", line 1051, in execute_sql sql, params = self.as_sql() File ""django/db/models/sql/compiler.py"", line 459, in as_sql where, w_params = self.compile(self.where) if self.where is not None else ("""", []) File ""django/db/models/sql/compiler.py"", line 391, in compile sql, params = node.as_sql(self, self.connection) File ""django/db/models/sql/where.py"", line 80, in as_sql sql, params = compiler.compile(child) File ""django/db/models/sql/compiler.py"", line 391, in compile sql, params = node.as_sql(self, self.connection) File ""django/db/models/lookups.py"", line 161, in as_sql rhs_sql, rhs_params = self.process_rhs(compiler, connection) File ""django/db/models/lookups.py"", line 260, in process_rhs return super().process_rhs(compiler, connection) File ""django/db/models/lookups.py"", line 93, in process_rhs return self.get_db_prep_lookup(value, connection) File ""django/db/models/lookups.py"", line 187, in get_db_prep_lookup [get_db_prep_value(value, connection, prepared=True)] File ""django/db/models/fields/__init__.py"", line 2354, in get_db_prep_value value = self.to_python(value) File ""django/db/models/fields/__init__.py"", line 2368, in to_python params={'value': value}, }}} The error is raised when **user = UserModel._default_manager.get(pk=uid)** is executd, while I think a ValidationError is a proper exception I'm wondering if that couldn't be catched within that try/except. I feel is a bit weird getting a 500 if somebody tries to forge a URL for example. " Uncategorized new Uncategorized 2.0 Normal Unreviewed 0 0 0 0 0 0