[Django] #29206: Validation Error and 500 when a reset password link contains a bad UIDB64 UUID
Django
UUID
-------------------------------------------+------------------------
Reporter: Mattia Procopio | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
Our user model pk is a UUID, while making some tests trying to reset the
password, we met a 500 because the encoded UUID is not decoded properly.
Here's the URL:
http://127.0.0.1:8000/reset/MTgiYWRiYmItZWNhYi00OTBiLThiMTMtYzg0MDUxMWRmOTVl/4u3-853c9fe868a403fa439f/
and this is the traceback:
{{{
ValueError: invalid literal for int() with base 16:
'18"adbbbecab490b8b13c840511df95e'
File "django/db/models/fields/__init__.py", line 2363, in to_python
return uuid.UUID(value)
File "python3.6/uuid.py", line 141, in __init__
int = int_(hex, 16)
ValidationError: ['\'18"adbbb-ecab-490b-8b13-c840511df95e\' is not a valid
UUID.']
File "django/core/handlers/exception.py", line 35, in inner
response = get_response(request)
File "django/core/handlers/base.py", line 128, in _get_response
response = self.process_exception_by_middleware(e, request)
File "django/core/handlers/base.py", line 126, in _get_response
response = wrapped_callback(request, *callback_args,
**callback_kwargs)
File "django/views/decorators/debug.py", line 76, in
sensitive_post_parameters_wrapper
return view(request, *args, **kwargs)
File "django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "django/contrib/auth/views.py", line 329, in password_reset_confirm
user = UserModel._default_manager.get(pk=uid)
File "django/db/models/manager.py", line 82, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "django/db/models/query.py", line 397, in get
num = len(clone)
File "django/db/models/query.py", line 254, in __len__
self._fetch_all()
File "django/db/models/query.py", line 1179, in _fetch_all
self._result_cache = list(self._iterable_class(self))
File "django/db/models/query.py", line 53, in __iter__
results = compiler.execute_sql(chunked_fetch=self.chunked_fetch,
chunk_size=self.chunk_size)
File "django/db/models/sql/compiler.py", line 1051, in execute_sql
sql, params = self.as_sql()
File "django/db/models/sql/compiler.py", line 459, in as_sql
where, w_params = self.compile(self.where) if self.where is not None
else ("", [])
File "django/db/models/sql/compiler.py", line 391, in compile
sql, params = node.as_sql(self, self.connection)
File "django/db/models/sql/where.py", line 80, in as_sql
sql, params = compiler.compile(child)
File "django/db/models/sql/compiler.py", line 391, in compile
sql, params = node.as_sql(self, self.connection)
File "django/db/models/lookups.py", line 161, in as_sql
rhs_sql, rhs_params = self.process_rhs(compiler, connection)
File "django/db/models/lookups.py", line 260, in process_rhs
return super().process_rhs(compiler, connection)
File "django/db/models/lookups.py", line 93, in process_rhs
return self.get_db_prep_lookup(value, connection)
File "django/db/models/lookups.py", line 187, in get_db_prep_lookup
[get_db_prep_value(value, connection, prepared=True)]
File "django/db/models/fields/__init__.py", line 2354, in
get_db_prep_value
value = self.to_python(value)
File "django/db/models/fields/__init__.py", line 2368, in to_python
params={'value': value},
}}}
The error is raised when **user = UserModel._default_manager.get(pk=uid)**
is executd, while I think a ValidationError is a proper exception I'm
wondering if that couldn't be catched within that try/except. I feel is a
bit weird getting a 500 if somebody tries to forge a URL for example.
--
Ticket URL: <https://code.djangoproject.com/ticket/29206>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
---------------------------------+------------------------------------
Reporter: Mattia Procopio | Owner: nobody
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* component: Uncategorized => contrib.auth
* type: Uncategorized => Bug
* stage: Unreviewed => Accepted
Old description:
New description:
The error is raised when `user = UserModel._default_manager.get(pk=uid)`
is executed, while I think a ValidationError is a proper exception I'm
wondering if that couldn't be catched within that try/except. I feel is a
bit weird getting a 500 if somebody tries to forge a URL for example.
--
Comment:
Yes, that shouldn't generate an exception.
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mattia Procopio):
* status: new => assigned
* owner: nobody => Mattia Procopio
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mattia Procopio):
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* needs_better_patch: 0 => 1
Comment:
Comments on PR. Please untick ''Patch needs improvement'' when resolved.
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:4>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mattia Procopio):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:5>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:6>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mattia Procopio):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:7>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:8>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"aeb8c381789ad93866223f8bd07d09ae5e2edd9e" aeb8c381]:
{{{
#!CommitTicketReference repository=""
revision="aeb8c381789ad93866223f8bd07d09ae5e2edd9e"
Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains
a non-UUID where one is expected.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:9>
Django
-------------------------------------+-------------------------------------
Reporter: Mattia Procopio | Owner: Mattia
| Procopio
Type: Bug | Status: closed
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"72667bc6ee00032385d3a3a500a8991ee3749f42" 72667bc]:
{{{
#!CommitTicketReference repository=""
revision="72667bc6ee00032385d3a3a500a8991ee3749f42"
[2.0.x] Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL
contains a non-UUID where one is expected.
Backport of aeb8c381789ad93866223f8bd07d09ae5e2edd9e from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/29206#comment:10>