#13632: lack of builtin range checking of id fields
------------------------------------------+---------------------------------
Reporter: anonymous | Owner: nobody
Status: new | Milestone:
Component: Database layer (models, ORM) | Version: SVN
Keywords: | Stage: Unreviewed
Has_patch: 0 |
------------------------------------------+---------------------------------
The lack of builtin range checking for id fields is a vulnerability.
{{{
/service/docserver/papers/3/ --> produces a document
/service/docserver/papers/6578/ --> produces 404 page
/service/docserver/papers/9999999999999999999/ --> throws OverflowError
}}}
Traceback is at http://paste.pocoo.org/show/218865/
I think the last case should throw !DoesNotExist instead of causing server
error.
In the case at hand I used generic views and sqlite3 DB backend.
Of course, one can check this himself all over the places, however that
would be against the DRY principle.
Not to mention, it would be complicated when using generic views.
--
Ticket URL: <http://code.djangoproject.com/ticket/13632>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
