[Django] #11061: Malformed POST request cause TypeError in AdminSite.login()

Sat, 09 May 2009 08:54:52 -0700 

#11061: Malformed POST request cause TypeError in AdminSite.login()
----------------------------------+-----------------------------------------
 Reporter:  vvd                   |       Owner:  nobody    
   Status:  new                   |   Milestone:            
Component:  django.contrib.admin  |     Version:  SVN       
 Keywords:  admin login           |       Stage:  Unreviewed
Has_patch:  1                     |  
----------------------------------+-----------------------------------------
 I found that any visitor can cause a !TypeError on Django site with
 enabled contrib.admin application. This can be done by sending malformed
 authentication POST request without username parameter but with
 LOGIN_FORM_KEY. This will cause following exception in !AdminSite.login()
 function:

 {{{
 Traceback (most recent call last):

  File "/usr/local/lib/python2.5/site-
 packages/django/core/handlers/base.py", line 86, in get_response
    response = callback(request, *callback_args, **callback_kwargs)

  File "/usr/local/lib/python2.5/site-
 packages/django/contrib/admin/sites.py", line 141, in root
    return self.login(request)

  File "/usr/local/lib/python2.5/site-
 packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)

  File "/usr/local/lib/python2.5/site-
 packages/django/contrib/admin/sites.py", line 244, in login
    if u'@' in username:

 TypeError: argument of type 'NoneType' is not iterable
 }}}

 Although there is no security threat with this error, it makes Django
 incompatible with !McAfee SECURE service. !McAfee performs a sort of
 stress testing by generating a lot of random requests with different URLs
 and form parameters which cause ~20 Django error messages to appear in
 mailbox each day.


 I've created tiny patch with fix and test. Affected versions: both trunk
 and 1.0.2

-- 
Ticket URL: <http://code.djangoproject.com/ticket/11061>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to