#13632: lack of builtin range checking of id fields
---------------------------------------------------+------------------------
Reporter: anonymous | Owner: nobody
Status: new | Milestone:
Component: Database layer (models, ORM) | Version: SVN
Resolution: | Keywords:
Stage: Unreviewed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
---------------------------------------------------+------------------------
Changes (by gregmuellegger):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
The problem with this is that the ID passed into a generic view doesn't
need to be an integer. It's also reasonable that a Model has a non-integer
primary key. So the key from the URL ''must'' be passed to the queryset
without any type checks - we don't know the type!
You can still avoid this issue without writing custom code that checks the
value before passing it into the generic view: Write the url-regexs in
such a way that they force a valid type. For example:
{{{
url(r^/service/docserver/papers/(?P<id>\d{1,6})/
}}}
This will throw a 404 for all IDs bigger than 1 000 000.
So this is generally a '''"wont fix"''' from me.
--
Ticket URL: <http://code.djangoproject.com/ticket/13632#comment:1>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
