Re: How can I work around the Django 3.2.10 cve release
https://docs.djangoproject.com/en/4.0/ref/urls/#django.urls.path
This was one of the additions in 2.0, and from what it seems like, you're
not doing anything specific with regex that cannot be done with a path
alternative.
ie,
re_path(r"invoice/(?P\d+)/$", billing_views.invoice_view,
name="invoice_view"),
would be `path("invoice/", billing_views.invoice_view,
name="invoice_view")
wonder if this works for you.
also, this might be worth opening a bug ticket about, since this seems like
a regression.
On Saturday, May 21, 2022 at 7:56:55 AM UTC-4 dashlaksh...@gmail.com wrote:
> There are not a big bunch of differences. You can also upgrade the version
> in production.
>
> On Sat, 21 May, 2022, 15:10 Mike Dewhirst, wrote:
>
>> I'm still on 3.2.x because it is a long term supported version and my
>> project is in production.
>>
>> Django 4.0 is really new with asgi replacing wsgi.
>>
>> I want more unit test coverage before upgrading.
>>
>> Cheers
>>
>> Mike
>>
>> --
>> (Unsigned mail from my phone)
>>
>>
>>
>> Original message
>> From: Lakshyaraj Dash XI-D 25
>> Date: 21/5/22 18:02 (GMT+10:00)
>> To: django...@googlegroups.com
>> Subject: Re: How can I work around the Django 3.2.10 cve release
>>
>> Hey why don't you use django v4 for your projects?
>>
>> On Fri, 20 May, 2022, 08:43 Mike Dewhirst, wrote:
>>
>>> My billing (Stripe) mechanism is working right up until Django 3.2.9 -
>>> which is where I'm stumped at the moment.
>>>
>>> Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/
>>> indicate a URL with a trailing newline can bypass
>>> upstream access control based on URL paths.
>>>
>>> Sadly, I am not aware of any such upstream access control.
>>>
>>> I have tried to repair it with fixid() within change_view() where
>>> object_id occurs but that doesn't achieve anything.
>>>
>>> def fixid(txt):
>>> try:
>>> return str(txt).split("/")[0]
>>> except ValueError:
>>> pass
>>> return txt
>>>
>>> How can I fix the following error and move forward to 3.2.13?
>>>
>>> Many thanks
>>>
>>> Mike
>>> - - - - - - - -
>>>
>>> Exception Type: ValueError at
>>> /admin/chemical/chemical/29/change/payment/change/
>>> Exception Value: Field 'id' expected a number but got
>>> '29/change/payment'.
>>>
>>> Environment:
>>>
>>> Request Method: GET
>>> Request URL:
>>> http://localhost:8088/admin/chemical/chemical/29/change/payment/change/
>>>
>>> Django Version: 3.2.13
>>> Python Version: 3.8.3
>>> Installed Applications:
>>> ['filebrowser',
>>> 'django.contrib.auth',
>>> 'django.contrib.contenttypes',
>>> 'django.contrib.sessions',
>>> 'django.contrib.messages',
>>> 'django.contrib.admin',
>>> 'django.contrib.admindocs',
>>> 'django.contrib.staticfiles',
>>> 'django.contrib.sites',
>>> 'django.contrib.sitemaps',
>>> 'tinymce',
>>> 'billing',
>>> 'chemical',
>>> 'common',
>>> 'company',
>>> 'credit',
>>> 'refer',
>>> 'report']
>>> Installed Middleware:
>>> ['django.middleware.security.SecurityMiddleware',
>>> 'django.middleware.cache.UpdateCacheMiddleware',
>>> 'django.contrib.sessions.middleware.SessionMiddleware',
>>> 'django.middleware.locale.LocaleMiddleware',
>>> 'django.middleware.common.CommonMiddleware',
>>> 'django.middleware.csrf.CsrfViewMiddleware',
>>> 'django.contrib.auth.middleware.AuthenticationMiddleware',
>>> 'django.contrib.messages.middleware.MessageMiddleware',
>>> 'django.contrib.admindocs.middleware.XViewMiddleware',
>>> 'django.middleware.clickjacking.XFrameOptionsMiddleware',
>>> 'pwned_passwords_django.middleware.PwnedPasswordsMiddleware',
>>> 'django.middleware.cache.FetchFromCacheMiddleware']
>>>
>>>
>>>
>>> Traceback (most recent call last):
>>>File
>>> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py",
>>>
>>>
>>> line 1823, in get_prep_value
>>> return int(value)
>>>
>>> The above exception (invalid literal for int() with base 10:
>>> '29/change/payment') was the direct cause of the following exception:
>>>File
>>> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py",
>>>
>>>
>>> line 47, in inner
>>> response = get_response(request)
>>>File
>>> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py",
>>>
>>> line 181, in _get_response
>>> response = wrapped_callback(request, *callback_args,
>>> **callback_kwargs)
>>>File
>>> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py",
>>>
>>>
>>> line 616, in wrapper
>>> return self.admin_site.admin_view(view)(*args, **kwargs)
>>>File
>>> "D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py",
>>> line 130, in _wrapped_view
>>> response = view_func(request, *args, **kwargs)
>>>File
>>> "D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py",
>>>
>>>
>>> line 44, in _wrapped_view_func
>>> response =
Re: How can I work around the Django 3.2.10 cve release
There are not a big bunch of differences. You can also upgrade the version
in production.
On Sat, 21 May, 2022, 15:10 Mike Dewhirst, wrote:
> I'm still on 3.2.x because it is a long term supported version and my
> project is in production.
>
> Django 4.0 is really new with asgi replacing wsgi.
>
> I want more unit test coverage before upgrading.
>
> Cheers
>
> Mike
>
> --
> (Unsigned mail from my phone)
>
>
>
> Original message
> From: Lakshyaraj Dash XI-D 25
> Date: 21/5/22 18:02 (GMT+10:00)
> To: django-users@googlegroups.com
> Subject: Re: How can I work around the Django 3.2.10 cve release
>
> Hey why don't you use django v4 for your projects?
>
> On Fri, 20 May, 2022, 08:43 Mike Dewhirst, wrote:
>
>> My billing (Stripe) mechanism is working right up until Django 3.2.9 -
>> which is where I'm stumped at the moment.
>>
>> Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/
>> indicate a URL with a trailing newline can bypass
>> upstream access control based on URL paths.
>>
>> Sadly, I am not aware of any such upstream access control.
>>
>> I have tried to repair it with fixid() within change_view() where
>> object_id occurs but that doesn't achieve anything.
>>
>> def fixid(txt):
>> try:
>> return str(txt).split("/")[0]
>> except ValueError:
>> pass
>> return txt
>>
>> How can I fix the following error and move forward to 3.2.13?
>>
>> Many thanks
>>
>> Mike
>> - - - - - - - -
>>
>> Exception Type: ValueError at
>> /admin/chemical/chemical/29/change/payment/change/
>> Exception Value: Field 'id' expected a number but got '29/change/payment'.
>>
>> Environment:
>>
>> Request Method: GET
>> Request URL:
>> http://localhost:8088/admin/chemical/chemical/29/change/payment/change/
>>
>> Django Version: 3.2.13
>> Python Version: 3.8.3
>> Installed Applications:
>> ['filebrowser',
>> 'django.contrib.auth',
>> 'django.contrib.contenttypes',
>> 'django.contrib.sessions',
>> 'django.contrib.messages',
>> 'django.contrib.admin',
>> 'django.contrib.admindocs',
>> 'django.contrib.staticfiles',
>> 'django.contrib.sites',
>> 'django.contrib.sitemaps',
>> 'tinymce',
>> 'billing',
>> 'chemical',
>> 'common',
>> 'company',
>> 'credit',
>> 'refer',
>> 'report']
>> Installed Middleware:
>> ['django.middleware.security.SecurityMiddleware',
>> 'django.middleware.cache.UpdateCacheMiddleware',
>> 'django.contrib.sessions.middleware.SessionMiddleware',
>> 'django.middleware.locale.LocaleMiddleware',
>> 'django.middleware.common.CommonMiddleware',
>> 'django.middleware.csrf.CsrfViewMiddleware',
>> 'django.contrib.auth.middleware.AuthenticationMiddleware',
>> 'django.contrib.messages.middleware.MessageMiddleware',
>> 'django.contrib.admindocs.middleware.XViewMiddleware',
>> 'django.middleware.clickjacking.XFrameOptionsMiddleware',
>> 'pwned_passwords_django.middleware.PwnedPasswordsMiddleware',
>> 'django.middleware.cache.FetchFromCacheMiddleware']
>>
>>
>>
>> Traceback (most recent call last):
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py",
>>
>> line 1823, in get_prep_value
>> return int(value)
>>
>> The above exception (invalid literal for int() with base 10:
>> '29/change/payment') was the direct cause of the following exception:
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py",
>>
>> line 47, in inner
>> response = get_response(request)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py",
>> line 181, in _get_response
>> response = wrapped_callback(request, *callback_args,
>> **callback_kwargs)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py",
>>
>> line 616, in wrapper
>> return self.admin_site.admin_view(view)(*args, **kwargs)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py",
>> line 130, in _wrapped_view
>> response = view_func(request, *args, **kwargs)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py",
>>
>> line 44, in _wrapped_view_func
>> response = view_func(request, *args, **kwargs)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\sites.py",
>>
>> line 232, in inner
>> return view(request, *args, **kwargs)
>>File "D:\Users\mike\envs\xxai\aicis\chemical\admin.py", line 268, in
>> change_view
>> chemical = Chemical.objects.get(id=object_id)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\manager.py",
>> line 85, in manager_method
>> return getattr(self.get_queryset(), name)(*args, **kwargs)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
>> line 424, in get
>> clone = self._chain() if self.query.combinator else
>> self.filter(*args, **kwargs)
>>File
>> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\m
Re: How can I work around the Django 3.2.10 cve release
I'm still on 3.2.x because it is a long term supported version and my project
is in production. Django 4.0 is really new with asgi replacing wsgi.I want more
unit test coverage before upgrading.CheersMike--(Unsigned mail from my phone)
Original message From: Lakshyaraj Dash XI-D 25
Date: 21/5/22 18:02 (GMT+10:00) To:
django-users@googlegroups.com Subject: Re: How can I work around the Django
3.2.10 cve release Hey why don't you use django v4 for your projects? On Fri,
20 May, 2022, 08:43 Mike Dewhirst, wrote:My billing
(Stripe) mechanism is working right up until Django 3.2.9 -
which is where I'm stumped at the moment.
Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/
indicate a URL with a trailing newline can bypass
upstream access control based on URL paths.
Sadly, I am not aware of any such upstream access control.
I have tried to repair it with fixid() within change_view() where
object_id occurs but that doesn't achieve anything.
def fixid(txt):
try:
return str(txt).split("/")[0]
except ValueError:
pass
return txt
How can I fix the following error and move forward to 3.2.13?
Many thanks
Mike
- - - - - - - -
Exception Type: ValueError at
/admin/chemical/chemical/29/change/payment/change/
Exception Value: Field 'id' expected a number but got '29/change/payment'.
Environment:
Request Method: GET
Request URL:
http://localhost:8088/admin/chemical/chemical/29/change/payment/change/
Django Version: 3.2.13
Python Version: 3.8.3
Installed Applications:
['filebrowser',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.admin',
'django.contrib.admindocs',
'django.contrib.staticfiles',
'django.contrib.sites',
'django.contrib.sitemaps',
'tinymce',
'billing',
'chemical',
'common',
'company',
'credit',
'refer',
'report']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.contrib.admindocs.middleware.XViewMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'pwned_passwords_django.middleware.PwnedPasswordsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware']
Traceback (most recent call last):
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py",
line 1823, in get_prep_value
return int(value)
The above exception (invalid literal for int() with base 10:
'29/change/payment') was the direct cause of the following exception:
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py",
line 47, in inner
response = get_response(request)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py",
line 181, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py",
line 616, in wrapper
return self.admin_site.admin_view(view)(*args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py",
line 130, in _wrapped_view
response = view_func(request, *args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py",
line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\sites.py",
line 232, in inner
return view(request, *args, **kwargs)
File "D:\Users\mike\envs\xxai\aicis\chemical\admin.py", line 268, in
change_view
chemical = Chemical.objects.get(id=object_id)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\manager.py",
line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 424, in get
clone = self._chain() if self.query.combinator else
self.filter(*args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 941, in filter
return self._filter_or_exclude(False, args, kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 961, in _filter_or_exclude
clone._filter_or_exclude_inplace(negate, args, kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 968, in _filter_or_exclude_inplace
self._query.add_q(Q(*args, **kwargs))
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py",
line 141
Re: How can I work around the Django 3.2.10 cve release
Hey why don't you use django v4 for your projects?
On Fri, 20 May, 2022, 08:43 Mike Dewhirst, wrote:
> My billing (Stripe) mechanism is working right up until Django 3.2.9 -
> which is where I'm stumped at the moment.
>
> Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/
> indicate a URL with a trailing newline can bypass
> upstream access control based on URL paths.
>
> Sadly, I am not aware of any such upstream access control.
>
> I have tried to repair it with fixid() within change_view() where
> object_id occurs but that doesn't achieve anything.
>
> def fixid(txt):
> try:
> return str(txt).split("/")[0]
> except ValueError:
> pass
> return txt
>
> How can I fix the following error and move forward to 3.2.13?
>
> Many thanks
>
> Mike
> - - - - - - - -
>
> Exception Type: ValueError at
> /admin/chemical/chemical/29/change/payment/change/
> Exception Value: Field 'id' expected a number but got '29/change/payment'.
>
> Environment:
>
> Request Method: GET
> Request URL:
> http://localhost:8088/admin/chemical/chemical/29/change/payment/change/
>
> Django Version: 3.2.13
> Python Version: 3.8.3
> Installed Applications:
> ['filebrowser',
> 'django.contrib.auth',
> 'django.contrib.contenttypes',
> 'django.contrib.sessions',
> 'django.contrib.messages',
> 'django.contrib.admin',
> 'django.contrib.admindocs',
> 'django.contrib.staticfiles',
> 'django.contrib.sites',
> 'django.contrib.sitemaps',
> 'tinymce',
> 'billing',
> 'chemical',
> 'common',
> 'company',
> 'credit',
> 'refer',
> 'report']
> Installed Middleware:
> ['django.middleware.security.SecurityMiddleware',
> 'django.middleware.cache.UpdateCacheMiddleware',
> 'django.contrib.sessions.middleware.SessionMiddleware',
> 'django.middleware.locale.LocaleMiddleware',
> 'django.middleware.common.CommonMiddleware',
> 'django.middleware.csrf.CsrfViewMiddleware',
> 'django.contrib.auth.middleware.AuthenticationMiddleware',
> 'django.contrib.messages.middleware.MessageMiddleware',
> 'django.contrib.admindocs.middleware.XViewMiddleware',
> 'django.middleware.clickjacking.XFrameOptionsMiddleware',
> 'pwned_passwords_django.middleware.PwnedPasswordsMiddleware',
> 'django.middleware.cache.FetchFromCacheMiddleware']
>
>
>
> Traceback (most recent call last):
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py",
>
> line 1823, in get_prep_value
> return int(value)
>
> The above exception (invalid literal for int() with base 10:
> '29/change/payment') was the direct cause of the following exception:
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py",
>
> line 47, in inner
> response = get_response(request)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py",
> line 181, in _get_response
> response = wrapped_callback(request, *callback_args,
> **callback_kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py",
>
> line 616, in wrapper
> return self.admin_site.admin_view(view)(*args, **kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py",
> line 130, in _wrapped_view
> response = view_func(request, *args, **kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py",
>
> line 44, in _wrapped_view_func
> response = view_func(request, *args, **kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\sites.py",
> line 232, in inner
> return view(request, *args, **kwargs)
>File "D:\Users\mike\envs\xxai\aicis\chemical\admin.py", line 268, in
> change_view
> chemical = Chemical.objects.get(id=object_id)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\manager.py",
> line 85, in manager_method
> return getattr(self.get_queryset(), name)(*args, **kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
> line 424, in get
> clone = self._chain() if self.query.combinator else
> self.filter(*args, **kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
> line 941, in filter
> return self._filter_or_exclude(False, args, kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
> line 961, in _filter_or_exclude
> clone._filter_or_exclude_inplace(negate, args, kwargs)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
> line 968, in _filter_or_exclude_inplace
> self._query.add_q(Q(*args, **kwargs))
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py",
> line 1416, in add_q
> clause, _ = self._add_q(q_object, self.used_aliases)
>File
> "D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py",
> line 1435, in _add_q
> child_clause, needed_inne
