[Django] #29179: calling format_html can falsely interpret a strack trace as a str.format replacement field
Django
replacement field
-------------------------------------+-------------------------------------
Reporter: Stephan | Owner: nobody
Michaud |
Type: | Status: new
Uncategorized |
Component: | Version: 1.10
Uncategorized |
Severity: Normal | Keywords: format_html, string
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi team,
We have an internal page where we display stack traces on a web page.
We've been using the `format_html` before rendering the data to the
template, which has worked well in the past.
However, one of the stack traces contained a dictionary definition as
such:
{{{#!python
data = urllib.parse.urlencode({'request': self.get_serialized_data()})
}}}
Once that string reached the format_html function, it would cause the
following Exception:
{{{#!python
KeyError: "'request'"
}}}
due to the call to `format()` recognizing the dictionary as a replacement
field.
--
Ticket URL: <https://code.djangoproject.com/ticket/29179>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
replacement field
-------------------------------------+-------------------------------------
Type: Bug | Status: new
Component: Uncategorized | Version: 1.10
Severity: Normal | Resolution:
Keywords: format_html, string | Triage Stage:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* type: Uncategorized => Bug
--
Ticket URL: <https://code.djangoproject.com/ticket/29179#comment:1>
Django
replacement field
-------------------------------------+-------------------------------------
Reporter: Stephan Michaud | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: format_html, string | Triage Stage:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* component: Uncategorized => Utilities
Comment:
Could you give a minimal example that reproduces the issue (i.e. give the
minimal string from the traceback and the arguments for `format_html()`)?
--
Ticket URL: <https://code.djangoproject.com/ticket/29179#comment:2>
Django
replacement field
-------------------------------------+-------------------------------------
Reporter: Stephan Michaud | Owner: nobody
Type: Bug | Status: new
Component: Utilities | Version: 1.10
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Stephan Michaud):
Replying to [comment:2 Tim Graham]:
> Could you give a minimal example that reproduces the issue (i.e. give
the minimal string from the traceback and the arguments for
`format_html()`)?
Sure! Here's the string passed in to `format_html()`:
{{{#!python
<div class="ui-state-default ui-corner-all show_node"
style="cursor:pointer;padding:4px;min-width:50px">show</div><div
class="hidden_menu">Traceback (most recent call last):
File "/home/tool/www/project/common/utils.py", line 52, in inner
ret = func(*args, **kwargs)
File
"/home/tool/www/project/servers/management/commands/servers_getindexation.py",
line 31, in handle
server.fetch_content()
File "/home/tool/www/project/common/abstract_models.py", line 289, in
fetch_content
get=params[1],
File "/home/tool/www/project/proxies/models.py", line 99, in
append_process
process.get_proxy_response()
File "/home/tool/www/project/proxies/models.py", line 254, in
get_proxy_response
data = urllib.parse.urlencode({'request': self.get_serialized_data()})
File "/home/tool/www/project/proxies/models.py", line 216, in
get_serialized_data
'useragent': self.request_useragent,
File "/home/tool/venv/lib/python3.5/base64.py", line 59, in b64encode
encoded = binascii.b2a_base64(s)[:-1]
TypeError: a bytes-like object is required, not 'str'
</div>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29179#comment:3>
Django
replacement field
-------------------------------------+-------------------------------------
Reporter: Stephan Michaud | Owner: nobody
Type: Bug | Status: new
Component: Utilities | Version: 1.10
Severity: Normal | Resolution:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham):
Oh, I see. Well, I'm not sure there's much Django can do about that. Did
you consider escaping the traceback before passing it to `format_html()`?
--
Ticket URL: <https://code.djangoproject.com/ticket/29179#comment:4>
Django
replacement field
-------------------------------------+-------------------------------------
Reporter: Stephan Michaud | Owner: nobody
Component: Utilities | Version: 1.10
Severity: Normal | Resolution: wontfix
Keywords: format_html, string | Triage Stage:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => wontfix
--
Ticket URL: <https://code.djangoproject.com/ticket/29179#comment:5>