#28202: 500 when using malicious GET parameter in admin -----------------------------------------+------------------------ Reporter: CM Lubinski | Owner: nobody Type: Bug | Status: new Component: contrib.admin | Version: 1.11 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -----------------------------------------+------------------------ Malicious GET parameter can cause Django to crash in the admin screens.
Reproduction recipe: 0. Setup Django 1.11.1, Postgres (I'm not sure the db matters) using Python 3.5 (though this may apply to other versions). 1. Create an admin account & login. 2. Hit `/admin/auth/user/?groups__id__exact=sleep(10)`. See the error Result will be similar to: {{{ dev-api_1 | ERROR 2017-05-12 22:29:34,469 django.request Internal Server Error: /admin/auth/user/ dev-api_1 | Traceback (most recent call last): dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/core/handlers/exception.py", line 41, in inner dev-api_1 | response = get_response(request) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/core/handlers/base.py", line 187, in _get_response dev-api_1 | response = self.process_exception_by_middleware(e, request) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/core/handlers/base.py", line 185, in _get_response dev-api_1 | response = wrapped_callback(request, *callback_args, **callback_kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/contrib/admin/options.py", line 551, in wrapper dev-api_1 | return self.admin_site.admin_view(view)(*args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/utils/decorators.py", line 149, in _wrapped_view dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/contrib/admin/sites.py", line 224, in inner dev-api_1 | return view(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/utils/decorators.py", line 67, in _wrapper dev-api_1 | return bound_func(*args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/utils/decorators.py", line 149, in _wrapped_view dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/utils/decorators.py", line 63, in bound_func dev-api_1 | return func.__get__(self, type(self))(*args2, **kwargs2) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/contrib/admin/options.py", line 1542, in changelist_view dev-api_1 | self.list_max_show_all, self.list_editable, self, dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/contrib/admin/views/main.py", line 78, in __init__ dev-api_1 | self.queryset = self.get_queryset(request) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/contrib/admin/views/main.py", line 322, in get_queryset dev-api_1 | new_qs = filter_spec.queryset(request, qs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/contrib/admin/filters.py", line 137, in queryset dev-api_1 | return queryset.filter(**self.used_parameters) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/query.py", line 782, in filter dev-api_1 | return self._filter_or_exclude(False, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/query.py", line 800, in _filter_or_exclude dev-api_1 | clone.query.add_q(Q(*args, **kwargs)) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/sql/query.py", line 1261, in add_q dev-api_1 | clause, _ = self._add_q(q_object, self.used_aliases) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/sql/query.py", line 1287, in _add_q dev-api_1 | allow_joins=allow_joins, split_subq=split_subq, dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/sql/query.py", line 1221, in build_filter dev-api_1 | condition = self.build_lookup(lookups, col, value) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/sql/query.py", line 1115, in build_lookup dev-api_1 | return final_lookup(lhs, rhs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/lookups.py", line 24, in __init__ dev-api_1 | self.rhs = self.get_prep_lookup() dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/lookups.py", line 74, in get_prep_lookup dev-api_1 | return self.lhs.output_field.get_prep_value(self.rhs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site- packages/django/db/models/fields/__init__.py", line 962, in get_prep_value dev-api_1 | return int(value) dev-api_1 | ValueError: invalid literal for int() with base 10: 'sleep(10)' }}} -- Ticket URL: <https://code.djangoproject.com/ticket/28202> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/052.f6eada33b18a9fa11f8ad3613d8bc9bd%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.