Re: Fuzzing Django at Google OSS-Fuzz

[Florian Apolloner]

Hi Guido,

wow. That would be very much appreciated. security@dp is just a google 
mailing list I fear. If you added me, would it be possible that I manage 
the other email addresses, or would you have to do that all? Also for now 
please do not add anyone without my sayso, I'll get in touch with you over 
a verified channel, so you can be sure you are giving access to someone 
from the security team.

Thanks,
Florian

On Saturday, July 6, 2019 at 9:06:42 PM UTC+2, Guido Vranken wrote:
>
> Dear group,
>
> I've built a Django fuzzer that can be used with Google OSS-Fuzz [1].
>
> The current fuzzer harness calls a host of django.util.* and related 
> functions with pseudo-random inputs. Fuzzing these functions can be useful 
> to see if any untrusted input can cause slowdowns, hangs, excessive memory 
> consumption, or unexpected exceptions. There have been several of such 
> issues in recent years (CVE-2018-7537, CVE-2018-7536, CVE-2019-6975 [2]), 
> and it is quite likely that my fuzzer would detect these vulnerabilities 
> automatically. In addition to these general vulnerability classes, the 
> harness can be easily extended to raise a warning on any custom condition.
>
> Are the Django developers interested in OSS-Fuzz integration? If so, I 
> will need one or more email addresses linked to a Google account that will 
> receive the automated bug reports generated by OSS-Fuzz. Because these 
> reports may contain security-sensitive information, it is recommended that 
> only developers who ordinarily deal with security reports are included in 
> this list.
>
> Guido
>
> [1] https://github.com/google/oss-fuzz
> [2] https://docs.djangoproject.com/en/dev/releases/security/
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/87432798-f1fe-46cc-aad5-4700b896e690%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Application specific middleware support

[Kapil Garg]

Hi, I am working on one django project and recently i had the requirement 
for a middleware. But i don't want this middleware to hook to every url 
served by the whole project but instead, only to one of the apps. I tried 
to look on the internet but everywhere there are hacks to implement it but 
not a in-built support from django. So i was curious why django doesn't 
provide support for app specific middleware or if it does then why there 
isn't any neat documentation about it. Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/1b8a2339-50fd-4b81-973f-9474787e3c6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Application specific middleware support

[Adam Johnson]

Hi Kapil

The main reason I believe is because URL's are project global, rather than
per app. Yes the root urlconf can include URL's kept within apps, but
because it's a recursive data structure this isn't so easy.

For your use case I'd suggest either:

   - Using class based views, creating a subclass of View in your app with
   your middleware-like behaviour in its dispatch() method, and using that
   subclass in all your app's views
   - or similarly using a view decorator and ensuring it is applied to all
   views in your app

The final option is to use the middleware process_view method and inspect
if the view lives within the target app.

Hope that helps,

Adam

On Sun, 7 Jul 2019 at 16:42, Kapil Garg  wrote:

> Hi, I am working on one django project and recently i had the requirement
> for a middleware. But i don't want this middleware to hook to every url
> served by the whole project but instead, only to one of the apps. I tried
> to look on the internet but everywhere there are hacks to implement it but
> not a in-built support from django. So i was curious why django doesn't
> provide support for app specific middleware or if it does then why there
> isn't any neat documentation about it. Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/1b8a2339-50fd-4b81-973f-9474787e3c6e%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM1dWE6u%2BEggfNbgPQ_m3P9T-H6BKzjm-8qvbDXx9YW-%2Bg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Application specific middleware support

[Aymeric Augustin]

Hello Kapil,

When you talk of a "URL served by an app", I suppose you're referring to URL 
namespaces, which provide a request.currrent_app attribute associating an HTTP 
request to an app. As far as I know, this is the only association of a request 
and an app that Django defines.

Django's documentation encourages URL namespaces for all pluggable apps. 
Unfortunately, adoption is limited because the benefits aren't sufficiently 
clear for many users. That said, if you need to add a middleware to an app 
that's under your control, you can give this app a URL namespace. Once you've 
done that, in your middleware, you can run your logic only if the request is 
routed to your app: `if request.current_app == "your_app": do_stuff()`.

As to why this isn't documented, most likely, that's because nobody ever had 
this use case and took the time to submit a documentation patch. That's a good 
contribution opportunity :-)

Best regards,

-- 
Aymeric.



> On 7 Jul 2019, at 17:42, Kapil Garg  wrote:
> 
> Hi, I am working on one django project and recently i had the requirement for 
> a middleware. But i don't want this middleware to hook to every url served by 
> the whole project but instead, only to one of the apps. I tried to look on 
> the internet but everywhere there are hacks to implement it but not a 
> in-built support from django. So i was curious why django doesn't provide 
> support for app specific middleware or if it does then why there isn't any 
> neat documentation about it. Thanks
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to django-developers@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/django-developers 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/1b8a2339-50fd-4b81-973f-9474787e3c6e%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/DEB7E81B-0043-4754-9D23-A6A234F9BCC6%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

insert or update on table “app_job” violates foreign key constraint “app_job_user_id” DETAIL:Key (user_id)=(1) is not present in table “accounts_user”

[Aayush Bhattarai]

[image: Capture.PNG]



*I have used function based View to get data from post Request. I need to 
get many data that also include a primary key field too. I need to push 
data into two models. While doing so, I encountered an error.*

#accounts models.py
from django.db import models
class User(models.Model):
user_id=models.PositiveIntegerField(blank=True)
name = models.CharField(max_length=200)
phone = models.CharField(max_length=200)
email = models.EmailField(max_length=254)

#app models.py
from accounts.models import User #from accounts models.py
class job(models.Model):
user = models.ForeignKey(User, on_delete=models.DO_NOTHING)
..

#views.py
data = job(.,map_link=map_link,user_id=user_id)
data.save()
info=User(name=name,email=email,phone=phone,user_id=user_id)
info.save()

*Error Message: http://dpaste.com/03Z0EPB *


-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/3d809e27-2b27-4688-9993-c7c0729e7f79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Application specific middleware support

[Adam Johnson]

Aymeric, are you sure about that? I can't find the code, and the docs for
current_app say it's noto set by Django itself:
https://docs.djangoproject.com/en/2.2/ref/request-response/#django.http.HttpRequest.current_app

Also middleware can't reliably make use of routing information except in
process_view, because if another middleware changes request.urlconf, it
will be "re-routed".

On Sun, 7 Jul 2019 at 19:51, Aymeric Augustin <
aymeric.augus...@polytechnique.org> wrote:

> Hello Kapil,
>
> When you talk of a "URL served by an app", I suppose you're referring to
> URL namespaces, which provide a request.currrent_app attribute associating
> an HTTP request to an app. As far as I know, this is the only association
> of a request and an app that Django defines.
>
> Django's documentation encourages URL namespaces for all pluggable apps.
> Unfortunately, adoption is limited because the benefits aren't sufficiently
> clear for many users. That said, if you need to add a middleware to an app
> that's under your control, you can give this app a URL namespace. Once
> you've done that, in your middleware, you can run your logic only if the
> request is routed to your app: `if request.current_app == "your_app":
> do_stuff()`.
>
> As to why this isn't documented, most likely, that's because nobody ever
> had this use case and took the time to submit a documentation patch. That's
> a good contribution opportunity :-)
>
> Best regards,
>
> --
> Aymeric.
>
>
>
> On 7 Jul 2019, at 17:42, Kapil Garg  wrote:
>
> Hi, I am working on one django project and recently i had the requirement
> for a middleware. But i don't want this middleware to hook to every url
> served by the whole project but instead, only to one of the apps. I tried
> to look on the internet but everywhere there are hacks to implement it but
> not a in-built support from django. So i was curious why django doesn't
> provide support for app specific middleware or if it does then why there
> isn't any neat documentation about it. Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/1b8a2339-50fd-4b81-973f-9474787e3c6e%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/DEB7E81B-0043-4754-9D23-A6A234F9BCC6%40polytechnique.org
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM3-B49mPzRT_d2bGU-6MOxiJ%3DAt%2BqYaR0ifgAEhOQiFzQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: insert or update on table “app_job” violates foreign key constraint “app_job_user_id” DETAIL:Key (user_id)=(1) is not present in table “accounts_user”

[Adam Johnson]

Hi!

I think you've found the wrong mailing list for this post. This mailing
list is for the development of Django itself, not for support using Django.
This means the discussions of bugs and features in Django itself, rather
than in your code using it. People on this list are unlikely to answer your
support query with their limited time and energy. Read more on the mailing
lists at https://www.djangoproject.com/community/

For support, please use the django-users mailing list, or IRC #django on
Freenode, or a site like Stack Overflow. There are people out there willing
to help on those channels, but they might not respond if you don't ask your
question well. Stack Overflow's question guide can help you frame it well:
https://stackoverflow.com/help/how-to-ask .

Also if you haven't read it, please take a look at Django's Code of
Conduct: https://www.djangoproject.com/conduct/ . These are our "ground
rules" for working well as a community, and will help you get the most out
of Django and our fantastic community.

Thanks for your understanding,

Adam

On Sun, 7 Jul 2019 at 20:14, Aayush Bhattarai 
wrote:

> [image: Capture.PNG]
>
>
>
> *I have used function based View to get data from post Request. I need to
> get many data that also include a primary key field too. I need to push
> data into two models. While doing so, I encountered an error.*
>
> #accounts models.py
> from django.db import models
> class User(models.Model):
> user_id=models.PositiveIntegerField(blank=True)
> name = models.CharField(max_length=200)
> phone = models.CharField(max_length=200)
> email = models.EmailField(max_length=254)
>
> #app models.py
> from accounts.models import User #from accounts models.py
> class job(models.Model):
> user = models.ForeignKey(User, on_delete=models.DO_NOTHING)
> ..
>
> #views.py
> data = job(.,map_link=map_link,user_id=user_id)
> data.save()
> info=User(name=name,email=email,phone=phone,user_id=user_id)
> info.save()
>
> *Error Message: http://dpaste.com/03Z0EPB *
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/3d809e27-2b27-4688-9993-c7c0729e7f79%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM19OrC9hcG5Ubt28Czq8b71n3OHeU-V4i57V_kRnmyV3w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Application specific middleware support

[Aymeric Augustin]

Oops! Scratch that, let's try again...

So Django doesn't create a relationship incoming HTTP requests and 
applications. You could try to create such a relationship, based on where 
URLconfs or views are defined, but you'll quickly discover tons of edge cases — 
starting with decorators — that make this unreliable in practice. You'd be 
going against Django's #1 design philosophy: loose coupling.

If you have control over the project and you know where the URLconf for the app 
is included, you can do: `if request.path.startswith("/your_app/"): 
do_stuff()`. If you're building a pluggable app and you don't have control over 
the project, you can write a decorator and apply it to every view.

Best regards,

-- 
Aymeric.



> On 7 Jul 2019, at 21:28, Adam Johnson  wrote:
> 
> Aymeric, are you sure about that? I can't find the code, and the docs for 
> current_app say it's noto set by Django itself: 
> https://docs.djangoproject.com/en/2.2/ref/request-response/#django.http.HttpRequest.current_app
>  
> 
> 
> Also middleware can't reliably make use of routing information except in 
> process_view, because if another middleware changes request.urlconf, it will 
> be "re-routed".
> 
> On Sun, 7 Jul 2019 at 19:51, Aymeric Augustin 
>  > wrote:
> Hello Kapil,
> 
> When you talk of a "URL served by an app", I suppose you're referring to URL 
> namespaces, which provide a request.currrent_app attribute associating an 
> HTTP request to an app. As far as I know, this is the only association of a 
> request and an app that Django defines.
> 
> Django's documentation encourages URL namespaces for all pluggable apps. 
> Unfortunately, adoption is limited because the benefits aren't sufficiently 
> clear for many users. That said, if you need to add a middleware to an app 
> that's under your control, you can give this app a URL namespace. Once you've 
> done that, in your middleware, you can run your logic only if the request is 
> routed to your app: `if request.current_app == "your_app": do_stuff()`.
> 
> As to why this isn't documented, most likely, that's because nobody ever had 
> this use case and took the time to submit a documentation patch. That's a 
> good contribution opportunity :-)
> 
> Best regards,
> 
> -- 
> Aymeric.
> 
> 
> 
>> On 7 Jul 2019, at 17:42, Kapil Garg > > wrote:
>> 
>> Hi, I am working on one django project and recently i had the requirement 
>> for a middleware. But i don't want this middleware to hook to every url 
>> served by the whole project but instead, only to one of the apps. I tried to 
>> look on the internet but everywhere there are hacks to implement it but not 
>> a in-built support from django. So i was curious why django doesn't provide 
>> support for app specific middleware or if it does then why there isn't any 
>> neat documentation about it. Thanks
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-developers+unsubscr...@googlegroups.com 
>> .
>> To post to this group, send email to django-developers@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/django-developers 
>> .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/1b8a2339-50fd-4b81-973f-9474787e3c6e%40googlegroups.com
>>  
>> .
>> For more options, visit https://groups.google.com/d/optout 
>> .
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to django-developers@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/django-developers 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/DEB7E81B-0043-4754-9D23-A6A234F9BCC6%40polytechnique.org
>  
> .
> For more options, visit https://groups.google.com/d/optout 
>