#30064: Admin search with a null character crashes with "A string literal cannot
contain NUL (0x00) characters." on PostgreSQL
-------------------------------+------------------------------------
Reporter: kenichi-cc | Owner: nobody
Type: Bug | Status: new
Component: contrib.admin | Version: 2.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by Simon Charette):
I think this should be fixed at the admin layer just like #28201 was fixed
at the form later; scanning each query string parameters for `'\x00'` as
suggested in [https://github.com/django/django/pull/10884 this PR] will
affect performance and is overkill IMO.
In my opinion the issue is that the admin is relying on unsanitized
`request.GET` passing to the ORM, that looks like the same class of issues
as `Model.objects.get(int_field='foo')`. The admin should use a form to
sanitize the input to rely on #28201 cleansing mechanism.
--
Ticket URL: <https://code.djangoproject.com/ticket/30064#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/068.3d8c14e2be7fa44983df3eeb8095f7ce%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
