Re: How can I work around the Django 3.2.10 cve release
https://docs.djangoproject.com/en/4.0/ref/urls/#django.urls.path This was one of the additions in 2.0, and from what it seems like, you're not doing anything specific with regex that cannot be done with a path alternative. ie, re_path(r"invoice/(?P\d+)/$", billing_views.invoice_view, name="invoice_view"), would be `path("invoice/", billing_views.invoice_view, name="invoice_view") wonder if this works for you. also, this might be worth opening a bug ticket about, since this seems like a regression. On Saturday, May 21, 2022 at 7:56:55 AM UTC-4 dashlaksh...@gmail.com wrote: > There are not a big bunch of differences. You can also upgrade the version > in production. > > On Sat, 21 May, 2022, 15:10 Mike Dewhirst, wrote: > >> I'm still on 3.2.x because it is a long term supported version and my >> project is in production. >> >> Django 4.0 is really new with asgi replacing wsgi. >> >> I want more unit test coverage before upgrading. >> >> Cheers >> >> Mike >> >> -- >> (Unsigned mail from my phone) >> >> >> >> Original message >> From: Lakshyaraj Dash XI-D 25 >> Date: 21/5/22 18:02 (GMT+10:00) >> To: django...@googlegroups.com >> Subject: Re: How can I work around the Django 3.2.10 cve release >> >> Hey why don't you use django v4 for your projects? >> >> On Fri, 20 May, 2022, 08:43 Mike Dewhirst, wrote: >> >>> My billing (Stripe) mechanism is working right up until Django 3.2.9 - >>> which is where I'm stumped at the moment. >>> >>> Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/ >>> indicate a URL with a trailing newline can bypass >>> upstream access control based on URL paths. >>> >>> Sadly, I am not aware of any such upstream access control. >>> >>> I have tried to repair it with fixid() within change_view() where >>> object_id occurs but that doesn't achieve anything. >>> >>> def fixid(txt): >>> try: >>> return str(txt).split("/")[0] >>> except ValueError: >>> pass >>> return txt >>> >>> How can I fix the following error and move forward to 3.2.13? >>> >>> Many thanks >>> >>> Mike >>> - - - - - - - - >>> >>> Exception Type: ValueError at >>> /admin/chemical/chemical/29/change/payment/change/ >>> Exception Value: Field 'id' expected a number but got >>> '29/change/payment'. >>> >>> Environment: >>> >>> Request Method: GET >>> Request URL: >>> http://localhost:8088/admin/chemical/chemical/29/change/payment/change/ >>> >>> Django Version: 3.2.13 >>> Python Version: 3.8.3 >>> Installed Applications: >>> ['filebrowser', >>> 'django.contrib.auth', >>> 'django.contrib.contenttypes', >>> 'django.contrib.sessions', >>> 'django.contrib.messages', >>> 'django.contrib.admin', >>> 'django.contrib.admindocs', >>> 'django.contrib.staticfiles', >>> 'django.contrib.sites', >>> 'django.contrib.sitemaps', >>> 'tinymce', >>> 'billing', >>> 'chemical', >>> 'common', >>> 'company', >>> 'credit', >>> 'refer', >>> 'report'] >>> Installed Middleware: >>> ['django.middleware.security.SecurityMiddleware', >>> 'django.middleware.cache.UpdateCacheMiddleware', >>> 'django.contrib.sessions.middleware.SessionMiddleware', >>> 'django.middleware.locale.LocaleMiddleware', >>> 'django.middleware.common.CommonMiddleware', >>> 'django.middleware.csrf.CsrfViewMiddleware', >>> 'django.contrib.auth.middleware.AuthenticationMiddleware', >>> 'django.contrib.messages.middleware.MessageMiddleware', >>> 'django.contrib.admindocs.middleware.XViewMiddleware', >>> 'django.middleware.clickjacking.XFrameOptionsMiddleware', >>> 'pwned_passwords_django.middleware.PwnedPasswordsMiddleware', >>> 'django.middleware.cache.FetchFromCacheMiddleware'] >>> >>> >>> >>> Traceback (most recent call last): >>>File >>> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py", >>> >>> >>> line 1823, in get_prep_value >>> return int(value) >>> >>> The above exception (invalid literal for int() with base 10: >>> '29/change/payment') was the direct cause of the following exception: >>>File >>> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py", >>> >>> >>> line 47, in inner >>> response = get_response(request) >>>File >>> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py", >>> >>> line 181, in _get_response >>> response = wrapped_callback(request, *callback_args, >>> **callback_kwargs) >>>File >>> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py", >>> >>> >>> line 616, in wrapper >>> return self.admin_site.admin_view(view)(*args, **kwargs) >>>File >>> "D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py", >>> line 130, in _wrapped_view >>> response = view_func(request, *args, **kwargs) >>>File >>> "D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py", >>> >>> >>> line 44, in _wrapped_view_func >>> response =
Re: How can I work around the Django 3.2.10 cve release
There are not a big bunch of differences. You can also upgrade the version in production. On Sat, 21 May, 2022, 15:10 Mike Dewhirst, wrote: > I'm still on 3.2.x because it is a long term supported version and my > project is in production. > > Django 4.0 is really new with asgi replacing wsgi. > > I want more unit test coverage before upgrading. > > Cheers > > Mike > > -- > (Unsigned mail from my phone) > > > > Original message > From: Lakshyaraj Dash XI-D 25 > Date: 21/5/22 18:02 (GMT+10:00) > To: django-users@googlegroups.com > Subject: Re: How can I work around the Django 3.2.10 cve release > > Hey why don't you use django v4 for your projects? > > On Fri, 20 May, 2022, 08:43 Mike Dewhirst, wrote: > >> My billing (Stripe) mechanism is working right up until Django 3.2.9 - >> which is where I'm stumped at the moment. >> >> Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/ >> indicate a URL with a trailing newline can bypass >> upstream access control based on URL paths. >> >> Sadly, I am not aware of any such upstream access control. >> >> I have tried to repair it with fixid() within change_view() where >> object_id occurs but that doesn't achieve anything. >> >> def fixid(txt): >> try: >> return str(txt).split("/")[0] >> except ValueError: >> pass >> return txt >> >> How can I fix the following error and move forward to 3.2.13? >> >> Many thanks >> >> Mike >> - - - - - - - - >> >> Exception Type: ValueError at >> /admin/chemical/chemical/29/change/payment/change/ >> Exception Value: Field 'id' expected a number but got '29/change/payment'. >> >> Environment: >> >> Request Method: GET >> Request URL: >> http://localhost:8088/admin/chemical/chemical/29/change/payment/change/ >> >> Django Version: 3.2.13 >> Python Version: 3.8.3 >> Installed Applications: >> ['filebrowser', >> 'django.contrib.auth', >> 'django.contrib.contenttypes', >> 'django.contrib.sessions', >> 'django.contrib.messages', >> 'django.contrib.admin', >> 'django.contrib.admindocs', >> 'django.contrib.staticfiles', >> 'django.contrib.sites', >> 'django.contrib.sitemaps', >> 'tinymce', >> 'billing', >> 'chemical', >> 'common', >> 'company', >> 'credit', >> 'refer', >> 'report'] >> Installed Middleware: >> ['django.middleware.security.SecurityMiddleware', >> 'django.middleware.cache.UpdateCacheMiddleware', >> 'django.contrib.sessions.middleware.SessionMiddleware', >> 'django.middleware.locale.LocaleMiddleware', >> 'django.middleware.common.CommonMiddleware', >> 'django.middleware.csrf.CsrfViewMiddleware', >> 'django.contrib.auth.middleware.AuthenticationMiddleware', >> 'django.contrib.messages.middleware.MessageMiddleware', >> 'django.contrib.admindocs.middleware.XViewMiddleware', >> 'django.middleware.clickjacking.XFrameOptionsMiddleware', >> 'pwned_passwords_django.middleware.PwnedPasswordsMiddleware', >> 'django.middleware.cache.FetchFromCacheMiddleware'] >> >> >> >> Traceback (most recent call last): >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py", >> >> line 1823, in get_prep_value >> return int(value) >> >> The above exception (invalid literal for int() with base 10: >> '29/change/payment') was the direct cause of the following exception: >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py", >> >> line 47, in inner >> response = get_response(request) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py", >> line 181, in _get_response >> response = wrapped_callback(request, *callback_args, >> **callback_kwargs) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py", >> >> line 616, in wrapper >> return self.admin_site.admin_view(view)(*args, **kwargs) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py", >> line 130, in _wrapped_view >> response = view_func(request, *args, **kwargs) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py", >> >> line 44, in _wrapped_view_func >> response = view_func(request, *args, **kwargs) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\sites.py", >> >> line 232, in inner >> return view(request, *args, **kwargs) >>File "D:\Users\mike\envs\xxai\aicis\chemical\admin.py", line 268, in >> change_view >> chemical = Chemical.objects.get(id=object_id) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\manager.py", >> line 85, in manager_method >> return getattr(self.get_queryset(), name)(*args, **kwargs) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", >> line 424, in get >> clone = self._chain() if self.query.combinator else >> self.filter(*args, **kwargs) >>File >> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\m
Re: How can I work around the Django 3.2.10 cve release
I'm still on 3.2.x because it is a long term supported version and my project is in production. Django 4.0 is really new with asgi replacing wsgi.I want more unit test coverage before upgrading.CheersMike--(Unsigned mail from my phone) Original message From: Lakshyaraj Dash XI-D 25 Date: 21/5/22 18:02 (GMT+10:00) To: django-users@googlegroups.com Subject: Re: How can I work around the Django 3.2.10 cve release Hey why don't you use django v4 for your projects? On Fri, 20 May, 2022, 08:43 Mike Dewhirst, wrote:My billing (Stripe) mechanism is working right up until Django 3.2.9 - which is where I'm stumped at the moment. Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/ indicate a URL with a trailing newline can bypass upstream access control based on URL paths. Sadly, I am not aware of any such upstream access control. I have tried to repair it with fixid() within change_view() where object_id occurs but that doesn't achieve anything. def fixid(txt): try: return str(txt).split("/")[0] except ValueError: pass return txt How can I fix the following error and move forward to 3.2.13? Many thanks Mike - - - - - - - - Exception Type: ValueError at /admin/chemical/chemical/29/change/payment/change/ Exception Value: Field 'id' expected a number but got '29/change/payment'. Environment: Request Method: GET Request URL: http://localhost:8088/admin/chemical/chemical/29/change/payment/change/ Django Version: 3.2.13 Python Version: 3.8.3 Installed Applications: ['filebrowser', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.admin', 'django.contrib.admindocs', 'django.contrib.staticfiles', 'django.contrib.sites', 'django.contrib.sitemaps', 'tinymce', 'billing', 'chemical', 'common', 'company', 'credit', 'refer', 'report'] Installed Middleware: ['django.middleware.security.SecurityMiddleware', 'django.middleware.cache.UpdateCacheMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.locale.LocaleMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.contrib.admindocs.middleware.XViewMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'pwned_passwords_django.middleware.PwnedPasswordsMiddleware', 'django.middleware.cache.FetchFromCacheMiddleware'] Traceback (most recent call last): File "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py", line 1823, in get_prep_value return int(value) The above exception (invalid literal for int() with base 10: '29/change/payment') was the direct cause of the following exception: File "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py", line 47, in inner response = get_response(request) File "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py", line 181, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py", line 616, in wrapper return self.admin_site.admin_view(view)(*args, **kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py", line 130, in _wrapped_view response = view_func(request, *args, **kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\sites.py", line 232, in inner return view(request, *args, **kwargs) File "D:\Users\mike\envs\xxai\aicis\chemical\admin.py", line 268, in change_view chemical = Chemical.objects.get(id=object_id) File "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\manager.py", line 85, in manager_method return getattr(self.get_queryset(), name)(*args, **kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", line 424, in get clone = self._chain() if self.query.combinator else self.filter(*args, **kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", line 941, in filter return self._filter_or_exclude(False, args, kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", line 961, in _filter_or_exclude clone._filter_or_exclude_inplace(negate, args, kwargs) File "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", line 968, in _filter_or_exclude_inplace self._query.add_q(Q(*args, **kwargs)) File "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py", line 141
Re: How can I work around the Django 3.2.10 cve release
Hey why don't you use django v4 for your projects? On Fri, 20 May, 2022, 08:43 Mike Dewhirst, wrote: > My billing (Stripe) mechanism is working right up until Django 3.2.9 - > which is where I'm stumped at the moment. > > Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/ > indicate a URL with a trailing newline can bypass > upstream access control based on URL paths. > > Sadly, I am not aware of any such upstream access control. > > I have tried to repair it with fixid() within change_view() where > object_id occurs but that doesn't achieve anything. > > def fixid(txt): > try: > return str(txt).split("/")[0] > except ValueError: > pass > return txt > > How can I fix the following error and move forward to 3.2.13? > > Many thanks > > Mike > - - - - - - - - > > Exception Type: ValueError at > /admin/chemical/chemical/29/change/payment/change/ > Exception Value: Field 'id' expected a number but got '29/change/payment'. > > Environment: > > Request Method: GET > Request URL: > http://localhost:8088/admin/chemical/chemical/29/change/payment/change/ > > Django Version: 3.2.13 > Python Version: 3.8.3 > Installed Applications: > ['filebrowser', > 'django.contrib.auth', > 'django.contrib.contenttypes', > 'django.contrib.sessions', > 'django.contrib.messages', > 'django.contrib.admin', > 'django.contrib.admindocs', > 'django.contrib.staticfiles', > 'django.contrib.sites', > 'django.contrib.sitemaps', > 'tinymce', > 'billing', > 'chemical', > 'common', > 'company', > 'credit', > 'refer', > 'report'] > Installed Middleware: > ['django.middleware.security.SecurityMiddleware', > 'django.middleware.cache.UpdateCacheMiddleware', > 'django.contrib.sessions.middleware.SessionMiddleware', > 'django.middleware.locale.LocaleMiddleware', > 'django.middleware.common.CommonMiddleware', > 'django.middleware.csrf.CsrfViewMiddleware', > 'django.contrib.auth.middleware.AuthenticationMiddleware', > 'django.contrib.messages.middleware.MessageMiddleware', > 'django.contrib.admindocs.middleware.XViewMiddleware', > 'django.middleware.clickjacking.XFrameOptionsMiddleware', > 'pwned_passwords_django.middleware.PwnedPasswordsMiddleware', > 'django.middleware.cache.FetchFromCacheMiddleware'] > > > > Traceback (most recent call last): >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py", > > line 1823, in get_prep_value > return int(value) > > The above exception (invalid literal for int() with base 10: > '29/change/payment') was the direct cause of the following exception: >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py", > > line 47, in inner > response = get_response(request) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py", > line 181, in _get_response > response = wrapped_callback(request, *callback_args, > **callback_kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py", > > line 616, in wrapper > return self.admin_site.admin_view(view)(*args, **kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py", > line 130, in _wrapped_view > response = view_func(request, *args, **kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py", > > line 44, in _wrapped_view_func > response = view_func(request, *args, **kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\sites.py", > line 232, in inner > return view(request, *args, **kwargs) >File "D:\Users\mike\envs\xxai\aicis\chemical\admin.py", line 268, in > change_view > chemical = Chemical.objects.get(id=object_id) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\manager.py", > line 85, in manager_method > return getattr(self.get_queryset(), name)(*args, **kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", > line 424, in get > clone = self._chain() if self.query.combinator else > self.filter(*args, **kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", > line 941, in filter > return self._filter_or_exclude(False, args, kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", > line 961, in _filter_or_exclude > clone._filter_or_exclude_inplace(negate, args, kwargs) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py", > line 968, in _filter_or_exclude_inplace > self._query.add_q(Q(*args, **kwargs)) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py", > line 1416, in add_q > clause, _ = self._add_q(q_object, self.used_aliases) >File > "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py", > line 1435, in _add_q > child_clause, needed_inne