Thanks for the hint. I indeed used the fuzzer a while ago with an older Python version. I just tried to save this kind of string and I now receive the same `ValueError` when the malicious string would get saved to the DB. On Wednesday, 8 March 2023 at 01:06:41 UTC+1 Mike Dewhirst wrote:
> On 8/03/2023 7:49 am, hi via Django users wrote: > > Hello everybody, > > I’ve used a fuzzer on my Django v3.2 project that resulted in a broken > admin interface. I’m not sure whether this is a bug or a rough edge case. > > I’m using Python 3.9.13 with Django 3.2.18 with Postgres. > > I have a Model with a JSONField and also added the model to my admin view > (I don’t use the JSON field on the list view / filter) > > ``` > data = models.JSONField(null=True, blank=True) > ``` > > The fuzzer added (via an API view) a string with 10,000 characters to the > data field. > > Every time I want to open the admin list view (and the malicious object is > part of the page), my Django crashes with the following message: > > > It appears the fix introduced the ValueError in the following version to > the one you are using hence fuzzing is probably finding a different problem. > > Everything I have read in Django docs about collecting external input > warns against letting stuff in unfiltered. > > Perhaps you do have to prevent malicious strings. I think I would. > > > > ValueError > > > > Exceeds the limit (4300) for integer string conversion: value has 10000 > digits; use sys.set_int_max_str_digits() to increase the limit > > I have attached my Sentry stack trace as a screenshot. > > If this is an intended behavior, I have to validate the data to prevent > malicious strings. But it feels like the admin interface should be able to > handle those JSON values. > > It looks like the Python releases in Sep 2022 have to do with this > bug/edge case: > https://mail.python.org/archives/list/[email protected]/message/B25APD6FF27NJWKTEGAFRUDNSVVAFIHQ/ > > <https://mail.python.org/archives/list/[email protected]/message/B25APD6FF27NJWKTEGAFRUDNSVVAFIHQ/> > > Kind Regards, > > Johannes > > > > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/6172A96F-F5FD-4694-9597-DFA815297945%40jfilter.de > > <https://groups.google.com/d/msgid/django-users/6172A96F-F5FD-4694-9597-DFA815297945%40jfilter.de?utm_medium=email&utm_source=footer> > . > > > > -- > Signed email is an absolute defence against phishing. This email has > been signed with my private key. If you import my public key you can > automatically decrypt my signature and be sure it came from me. Your > email software can handle signing. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/474230e5-ad03-4704-b15d-1b231d549945n%40googlegroups.com.
