[CDS Invenio] #18: crash in /yourgroups related to unwashed arguments

Fri, 23 Apr 2010 11:37:45 +0200 

#18: crash in /yourgroups related to unwashed arguments
------------------------+---------------------------------------------------
 Reporter:  simko       |       Owner:     
     Type:  defect      |      Status:  new
 Priority:  major       |   Milestone:     
Component:  WebSession  |     Version:     
 Keywords:              |  
------------------------+---------------------------------------------------
 The /yourgroups facility should improve its argument washing.

 An URL such as <https://localhost/yourgroups/edit?grpID=foo> leads to
 500 Internal Server Error and a traceback, because grpID had not been
 washed properly in the web interface layer before being passed onto
 the business logic layer.

 {{{
 >>>> Frame edit in /usr/lib/python2.5/site-
 packages/invenio/websession_webinterface.py at line 1190
 *******************************************************************************
       1187         else :
       1188             (body, errors, warnings)=
 webgroup.perform_request_edit_group(uid=uid,
       1189
 grpID=argd['grpID'],
 ----> 1190
 ln=argd['ln'])
       1191
       1192
       1193
 *******************************************************************************


 >>>> Frame perform_request_edit_group in /usr/lib/python2.5/site-
 packages/invenio/webgroup.py at line 387
 *******************************************************************************
        384
        385     body = ''
        386     errors = []
 ---->  387     user_status = db.get_user_status(uid, grpID)
        388     if not len(user_status):
        389         errors.append('ERR_WEBSESSION_DB_ERROR')
        390         return (body, errors, warnings)
 *******************************************************************************

 >>>> Frame get_user_status in /usr/lib/python2.5/site-
 packages/invenio/webgroup_dblayer.py at line 296
 *******************************************************************************
        293                 WHERE id_user = %s
        294                 AND id_usergroup=%s"""
        295     uid = int(uid)
 ---->  296     grpID = int(grpID)
        297     res = run_sql(query, (uid, grpID))
        298     return res
        299
 *******************************************************************************
 }}}

-- 
Ticket URL: <http://cdswaredev.cern.ch/invenio/ticket/18>
CDS Invenio <http://cdswaredev.cern.ch/invenio>
CDS Invenio digital library software.

Reply via email to