#28201: 500 when using a null character, Postgres + Python 3.5.3
-----------------------------------------+------------------------
Reporter: CM Lubinski | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Input with null characters cause Django to crash when saving data.
Reproduction recipe:
0. Setup Django 1.11.1, Postgres (I don't think the version matters) using
Python 3.5 (though this may apply to any 3.x).
1. Create an admin account & login.
2. Navigate to `/admin/auth/group/add/`
3. Using the JavaScript console, execute
{{{
$('#id_name').val("\x00something")
}}}
4. Submit the form. See the error
Result will be similar to:
{{{
dev-api_1 | Internal Server Error: /admin/auth/group/add/
dev-api_1 | Traceback (most recent call last):
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/exception.py", line 41, in inner
dev-api_1 | response = get_response(request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/base.py", line 187, in _get_response
dev-api_1 | response =
self.process_exception_by_middleware(e, request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/base.py", line 185, in _get_response
dev-api_1 | response = wrapped_callback(request,
*callback_args, **callback_kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 551, in wrapper
dev-api_1 | return self.admin_site.admin_view(view)(*args,
**kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/sites.py", line 224, in inner
dev-api_1 | return view(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 1508, in add_view
dev-api_1 | return self.changeform_view(request, None,
form_url, extra_context)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 67, in _wrapper
dev-api_1 | return bound_func(*args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 63, in bound_func
dev-api_1 | return func.__get__(self, type(self))(*args2,
**kwargs2)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 1408, in changeform_view
dev-api_1 | return self._changeform_view(request, object_id,
form_url, extra_context)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 1440, in _changeform_view
dev-api_1 | if form.is_valid():
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/forms/forms.py", line 183, in is_valid
dev-api_1 | return self.is_bound and not self.errors
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/forms/forms.py", line 175, in errors
dev-api_1 | self.full_clean()
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/forms/forms.py", line 386, in full_clean
dev-api_1 | self._post_clean()
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/forms/models.py", line 402, in _post_clean
dev-api_1 | self.validate_unique()
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/forms/models.py", line 411, in validate_unique
dev-api_1 | self.instance.validate_unique(exclude=exclude)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/base.py", line 1032, in validate_unique
dev-api_1 | errors =
self._perform_unique_checks(unique_checks)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/base.py", line 1129, in _perform_unique_checks
dev-api_1 | if qs.exists():
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/query.py", line 668, in exists
dev-api_1 | return self.query.has_results(using=self.db)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 517, in has_results
dev-api_1 | return compiler.has_results()
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/compiler.py", line 845, in has_results
dev-api_1 | return bool(self.execute_sql(SINGLE))
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/compiler.py", line 886, in execute_sql
dev-api_1 | raise original_exception
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/compiler.py", line 876, in execute_sql
dev-api_1 | cursor.execute(sql, params)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/debug_toolbar/panels/sql/tracking.py", line 165, in execute
dev-api_1 | return self._record(self.cursor.execute, sql,
params)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/debug_toolbar/panels/sql/tracking.py", line 107, in _record
dev-api_1 | return method(sql, params)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/backends/utils.py", line 80, in execute
dev-api_1 | return super(CursorDebugWrapper,
self).execute(sql, params)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/backends/utils.py", line 65, in execute
dev-api_1 | return self.cursor.execute(sql, params)
dev-api_1 | ValueError: A string literal cannot contain NUL
(0x00) characters.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28201>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.0ce02278c36e99359cb4641c23514115%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
