#28202: 500 when using malicious GET parameter in admin
-----------------------------------------+------------------------
Reporter: CM Lubinski | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Malicious GET parameter can cause Django to crash in the admin screens.
Reproduction recipe:
0. Setup Django 1.11.1, Postgres (I'm not sure the db matters) using
Python 3.5 (though this may apply to other versions).
1. Create an admin account & login.
2. Hit `/admin/auth/user/?groups__id__exact=sleep(10)`. See the error
Result will be similar to:
{{{
dev-api_1 | ERROR 2017-05-12 22:29:34,469 django.request
Internal Server Error: /admin/auth/user/
dev-api_1 | Traceback (most recent call last):
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/exception.py", line 41, in inner
dev-api_1 | response = get_response(request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/base.py", line 187, in _get_response
dev-api_1 | response =
self.process_exception_by_middleware(e, request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/core/handlers/base.py", line 185, in _get_response
dev-api_1 | response = wrapped_callback(request,
*callback_args, **callback_kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 551, in wrapper
dev-api_1 | return self.admin_site.admin_view(view)(*args,
**kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/sites.py", line 224, in inner
dev-api_1 | return view(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 67, in _wrapper
dev-api_1 | return bound_func(*args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1 | response = view_func(request, *args, **kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/utils/decorators.py", line 63, in bound_func
dev-api_1 | return func.__get__(self, type(self))(*args2,
**kwargs2)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/options.py", line 1542, in changelist_view
dev-api_1 | self.list_max_show_all, self.list_editable,
self,
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/views/main.py", line 78, in __init__
dev-api_1 | self.queryset = self.get_queryset(request)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/views/main.py", line 322, in get_queryset
dev-api_1 | new_qs = filter_spec.queryset(request, qs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/contrib/admin/filters.py", line 137, in queryset
dev-api_1 | return queryset.filter(**self.used_parameters)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/query.py", line 782, in filter
dev-api_1 | return self._filter_or_exclude(False, *args,
**kwargs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/query.py", line 800, in _filter_or_exclude
dev-api_1 | clone.query.add_q(Q(*args, **kwargs))
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1261, in add_q
dev-api_1 | clause, _ = self._add_q(q_object,
self.used_aliases)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1287, in _add_q
dev-api_1 | allow_joins=allow_joins, split_subq=split_subq,
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1221, in build_filter
dev-api_1 | condition = self.build_lookup(lookups, col,
value)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/sql/query.py", line 1115, in build_lookup
dev-api_1 | return final_lookup(lhs, rhs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/lookups.py", line 24, in __init__
dev-api_1 | self.rhs = self.get_prep_lookup()
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/lookups.py", line 74, in get_prep_lookup
dev-api_1 | return
self.lhs.output_field.get_prep_value(self.rhs)
dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-
packages/django/db/models/fields/__init__.py", line 962, in get_prep_value
dev-api_1 | return int(value)
dev-api_1 | ValueError: invalid literal for int() with base 10:
'sleep(10)'
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28202>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.f6eada33b18a9fa11f8ad3613d8bc9bd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
