[Django] #28202: 500 when using malicious GET parameter in admin
Django
-----------------------------------------+------------------------
Reporter: CM Lubinski | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Malicious GET parameter can cause Django to crash in the admin screens.
Reproduction recipe:
0. Setup Django 1.11.1, Postgres (I'm not sure the db matters) using
Python 3.5 (though this may apply to other versions).
1. Create an admin account & login.
2. Hit `/admin/auth/user/?groups__id__exact=sleep(10)`. See the error
Result will be similar to:
{{{
dev-api_1 | ERROR 2017-05-12 22:29:34,469 django.request
Internal Server Error: /admin/auth/user/
dev-api_1 | Traceback (most recent call last):
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/exception.py", line 41, in inner
dev-api_1 | response = get_response(request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/base.py", line 187, in _get_response
dev-api_1 | response =
self.process_exception_by_middleware(e, request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/base.py", line 185, in _get_response
dev-api_1 | response = wrapped_callback(request,
*callback_args, **callback_kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 551, in wrapper
dev-api_1 | return self.admin_site.admin_view(view)(*args,
**kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/sites.py", line 224, in inner
dev-api_1 | return view(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 67, in _wrapper
dev-api_1 | return bound_func(*args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 63, in bound_func
dev-api_1 | return func.__get__(self, type(self))(*args2,
**kwargs2)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 1542, in changelist_view
dev-api_1 | self.list_max_show_all, self.list_editable,
self,
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/views/main.py", line 78, in __init__
dev-api_1 | self.queryset = self.get_queryset(request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/views/main.py", line 322, in get_queryset
dev-api_1 | new_qs = filter_spec.queryset(request, qs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/filters.py", line 137, in queryset
dev-api_1 | return queryset.filter(**self.used_parameters)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/query.py", line 782, in filter
dev-api_1 | return self._filter_or_exclude(False, *args,
**kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/query.py", line 800, in _filter_or_exclude
dev-api_1 | clone.query.add_q(Q(*args, **kwargs))
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1261, in add_q
dev-api_1 | clause, _ = self._add_q(q_object,
self.used_aliases)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1287, in _add_q
dev-api_1 | allow_joins=allow_joins, split_subq=split_subq,
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1221, in build_filter
dev-api_1 | condition = self.build_lookup(lookups, col,
value)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1115, in build_lookup
dev-api_1 | return final_lookup(lhs, rhs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/lookups.py", line 24, in __init__
dev-api_1 | self.rhs = self.get_prep_lookup()
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/lookups.py", line 74, in get_prep_lookup
dev-api_1 | return
self.lhs.output_field.get_prep_value(self.rhs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/fields/__init__.py", line 962, in get_prep_value
dev-api_1 | return int(value)
dev-api_1 | ValueError: invalid literal for int() with base 10:
'sleep(10)'
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28202>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: CM Lubinski | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.11
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Ajoy Oommen):
* stage: Unreviewed => Accepted
Comment:
Not just `sleep(10)`, the URL will fail on any non-number after
`?groups__id__exact=`.
--
Ticket URL: <https://code.djangoproject.com/ticket/28202#comment:1>
Django
Reporter: CM Lubinski | Owner: Paulo
Type: Bug | Status: assigned
Component: contrib.admin | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Paulo):
* owner: nobody => Paulo
* status: new => assigned
Comment:
Confirmed.
To reproduce, make sure there's a one or more groups in the db.
--
Ticket URL: <https://code.djangoproject.com/ticket/28202#comment:2>
Django
Reporter: CM Lubinski | Owner: Paulo
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Paulo):
* has_patch: 0 => 1
Comment:
Patch in https://github.com/django/django/pull/8596
--
Ticket URL: <https://code.djangoproject.com/ticket/28202#comment:3>
Django
ValueError
-------------------------------+------------------------------------
Reporter: CM Lubinski | Owner: Paulo
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--
Ticket URL: <https://code.djangoproject.com/ticket/28202#comment:4>
Django
ValueError
-------------------------------+------------------------------------
Reporter: CM Lubinski | Owner: Paulo
Component: contrib.admin | Version: 1.11
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"4ad2f862844d35404e4798b3227517625210a72e" 4ad2f862]:
{{{
#!CommitTicketReference repository=""
revision="4ad2f862844d35404e4798b3227517625210a72e"
Fixed #28202 -- Fixed FieldListFilter.get_queryset() crash on invalid
input.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28202#comment:5>
Django
ValueError
-------------------------------+------------------------------------
Reporter: CM Lubinski | Owner: Paulo
Type: Bug | Status: closed
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"a0707947e4aacd461a3dbb653ddbf800ec2a6dea" a070794]:
{{{
#!CommitTicketReference repository=""
revision="a0707947e4aacd461a3dbb653ddbf800ec2a6dea"
[1.11.x] Fixed #28202 -- Fixed FieldListFilter.get_queryset() crash on
invalid input.
Backport of 4ad2f862844d35404e4798b3227517625210a72e from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28202#comment:6>