[Django] #24319: UUIDField do not properly clean (validate) value in get_db_prep_value

Django Wed, 11 Feb 2015 00:44:22 -0800

#24319: UUIDField do not properly clean (validate) value in get_db_prep_value
----------------------------------------------+------------------------
     Reporter:  davidfischer-ch               |      Owner:  nobody
         Type:  Bug                           |     Status:  new
    Component:  Database layer (models, ORM)  |    Version:  1.8alpha1
     Severity:  Normal                        |   Keywords:  clean,uuid
 Triage Stage:  Unreviewed                    |  Has patch:  0
Easy pickings:  0                             |      UI/UX:  0
----------------------------------------------+------------------------
 '''Use case''': Using user's input to retrieve a model from database.


 '''Issue''': The UUIDField doesn't properly *clean* the input value,
 meaning the ORM will query the database even the query values aren't
 cleaned.

 '''System''': Ubuntu 14.04 LTS + PostgresSQL 9.3

 '''Good''': User.objects.get(pk='ssss') -> ValueError
 '''Bad''': Media.objects.get(pk='ssss') -> DataError

 {{{
 class Media(models.Model):
     pk = models.UUIDField()
 }}}

 {{{
 >>> User.objects.get(pk='ssss')
 Traceback (most recent call last):
   File "<input>", line 1, in <module>
   File "venv/src/django/django/db/models/manager.py", line 127, in
 manager_method
     return getattr(self.get_queryset(), name)(*args, **kwargs)
   File "venv/src/django/django/db/models/query.py", line 320, in get
     clone = self.filter(*args, **kwargs)
   File "venv/src/django/django/db/models/query.py", line 671, in filter
     return self._filter_or_exclude(False, *args, **kwargs)
   File "venv/src/django/django/db/models/query.py", line 689, in
 _filter_or_exclude
     clone.query.add_q(Q(*args, **kwargs))
   File "venv/src/django/django/db/models/sql/query.py", line 1284, in
 add_q
     clause, require_inner = self._add_q(where_part, self.used_aliases)
   File "venv/src/django/django/db/models/sql/query.py", line 1311, in
 _add_q
     current_negated=current_negated, connector=connector,
 allow_joins=allow_joins)
   File "venv/src/django/django/db/models/sql/query.py", line 1183, in
 build_filter
     condition = self.build_lookup(lookups, col, value)
   File "venv/src/django/django/db/models/sql/query.py", line 1079, in
 build_lookup
     return final_lookup(lhs, rhs)
   File "venv/src/django/django/db/models/lookups.py", line 96, in __init__
     self.rhs = self.get_prep_lookup()
   File "venv/src/django/django/db/models/lookups.py", line 134, in
 get_prep_lookup
     return self.lhs.output_field.get_prep_lookup(self.lookup_name,
 self.rhs)
   File "venv/src/django/django/db/models/fields/__init__.py", line 716, in
 get_prep_lookup
     return self.get_prep_value(value)
   File "venv/src/django/django/db/models/fields/__init__.py", line 974, in
 get_prep_value
     return int(value)
 ValueError: invalid literal for int() with base 10: 'ssss'

 }}}

 {{{
 >>> Media.objects.get(pk='ssss')
 Traceback (most recent call last):
   File "<input>", line 1, in <module>
   File "venv/src/django/django/db/models/manager.py", line 127, in
 manager_method
     return getattr(self.get_queryset(), name)(*args, **kwargs)
   File "venv/src/django/django/db/models/query.py", line 326, in get
     num = len(clone)
   File "venv/src/django/django/db/models/query.py", line 145, in __len__
     self._fetch_all()
   File "venv/src/django/django/db/models/query.py", line 955, in
 _fetch_all
     self._result_cache = list(self.iterator())
   File "venv/src/django/django/db/models/query.py", line 239, in iterator
     results = compiler.execute_sql()
   File "venv/src/django/django/db/models/sql/compiler.py", line 826, in
 execute_sql
     cursor.execute(sql, params)
   File "venv/src/django/django/db/backends/utils.py", line 80, in execute
     return super(CursorDebugWrapper, self).execute(sql, params)
   File "venv/src/django/django/db/backends/utils.py", line 65, in execute
     return self.cursor.execute(sql, params)
   File "venv/src/django/django/db/utils.py", line 95, in __exit__
     six.reraise(dj_exc_type, dj_exc_value, traceback)
   File "venv/src/django/django/utils/six.py", line 658, in reraise
     raise value.with_traceback(tb)
   File "venv/src/django/django/db/backends/utils.py", line 65, in execute
     return self.cursor.execute(sql, params)
 django.db.utils.DataError: invalid input syntax for uuid: "ssss"
 LINE 1: ...oudncode_media" WHERE "cloudncode_media"."uuid" = 'ssss' LIM...
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/24319>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/058.f83f000767a5593c5be76fc66ef680b5%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

[Django] #24319: UUIDField do not properly clean (validate) value in get_db_prep_value

Reply via email to