#11061: Malformed POST request cause TypeError in AdminSite.login() ----------------------------------+----------------------------------------- Reporter: vvd | Owner: nobody Status: new | Milestone: Component: django.contrib.admin | Version: SVN Keywords: admin login | Stage: Unreviewed Has_patch: 1 | ----------------------------------+----------------------------------------- I found that any visitor can cause a !TypeError on Django site with enabled contrib.admin application. This can be done by sending malformed authentication POST request without username parameter but with LOGIN_FORM_KEY. This will cause following exception in !AdminSite.login() function:
{{{ Traceback (most recent call last): File "/usr/local/lib/python2.5/site- packages/django/core/handlers/base.py", line 86, in get_response response = callback(request, *callback_args, **callback_kwargs) File "/usr/local/lib/python2.5/site- packages/django/contrib/admin/sites.py", line 141, in root return self.login(request) File "/usr/local/lib/python2.5/site- packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "/usr/local/lib/python2.5/site- packages/django/contrib/admin/sites.py", line 244, in login if u'@' in username: TypeError: argument of type 'NoneType' is not iterable }}} Although there is no security threat with this error, it makes Django incompatible with !McAfee SECURE service. !McAfee performs a sort of stress testing by generating a lot of random requests with different URLs and form parameters which cause ~20 Django error messages to appear in mailbox each day. I've created tiny patch with fix and test. Affected versions: both trunk and 1.0.2 -- Ticket URL: <http://code.djangoproject.com/ticket/11061> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---