id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
3785	admin does not valid object id values before using them in database queries	anonymous	nobody	"Somehow somewhere, while working with the admin i accidentally appended a +/ to a crud url and this raised the following sql error.

While the admin should not be accessible for anonymous users, it does not feel right to me to have a sql exception raised on a invalid url.

Since django.contrib.admin.urls explicitly specifies the append operations history and delete it would seem that it could very well be aware of the fact that '/admin/article/article/12/+/' is not a valid url.

In django.contrib.admin.views.main change_stage and all others, they clearly define the third path element to be an object_id, so why not use:
{{{
    ('^([^/]+)/([^/]+)/(\d+)/$', 'django.contrib.admin.views.main.change_stage'),
}}}
Instead of:
{{{
    ('^([^/]+)/([^/]+)/(.+)/$', 'django.contrib.admin.views.main.change_stage'),
}}}
For this and the other url's ? Or at least forbit a another '/' in there.

Url: '/admin/article/article/12/+/'


Traceback:

{{{
Traceback (most recent call last):

  File ""/usr/lib/python2.4/site-packages/django/core/handlers/base.py"", line 77, in get_response
    response = callback(request, *callback_args, **callback_kwargs)

  File ""/usr/lib/python2.4/site-packages/django/contrib/admin/views/decorators.py"", line 55, in _checklogin
    return view_func(request, *args, **kwargs)

  File ""/usr/lib/python2.4/site-packages/django/views/decorators/cache.py"", line 39, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)

  File ""/usr/lib/python2.4/site-packages/django/contrib/admin/views/main.py"", line 315, in change_stage
    manipulator = model.ChangeManipulator(object_id)

  File ""/usr/lib/python2.4/site-packages/django/db/models/manipulators.py"", line 259, in __init__
    self.original_object = self.manager.get(pk=obj_key)

  File ""/usr/lib/python2.4/site-packages/django/db/models/manager.py"", line 73, in get
    return self.get_query_set().get(*args, **kwargs)

  File ""/usr/lib/python2.4/site-packages/django/db/models/query.py"", line 250, in get
    obj_list = list(clone)

  File ""/usr/lib/python2.4/site-packages/django/db/models/query.py"", line 108, in __iter__
    return iter(self._get_data())

  File ""/usr/lib/python2.4/site-packages/django/db/models/query.py"", line 470, in _get_data
    self._result_cache = list(self.iterator())

  File ""/usr/lib/python2.4/site-packages/django/db/models/query.py"", line 183, in iterator
    cursor.execute(""SELECT "" + (self._distinct and ""DISTINCT "" or """") + "","".join(select) + sql, params)

ProgrammingError: invalid input syntax for integer: ""12/+""
}}}

Thanks for Django and all the good work!"		closed	contrib.admin	dev		fixed	admin, urls, invalid url	root.lastnode@… crucialfelix@…	Accepted	0	0	0	0	0	0