Re: [Django] #11061: Malformed POST request cause TypeError in AdminSite.login()

2009-09-10 Thread Django 
#11061: Malformed POST request cause TypeError in AdminSite.login()
---+
  Reporter:  vvd   | Owner:  nobody 
Status:  closed| Milestone: 
 Component:  django.contrib.admin  |   Version:  SVN
Resolution:  fixed |  Keywords:  admin login
 Stage:  Ready for checkin | Has_patch:  1  
Needs_docs:  0 |   Needs_tests:  0  
Needs_better_patch:  0 |  
---+
Changes (by lukeplant):

  * status:  new => closed
  * resolution:  => fixed

Comment:

 Fixed in r11493, thanks.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---

[Django] #11061: Malformed POST request cause TypeError in AdminSite.login()

2009-05-09 Thread Django 
#11061: Malformed POST request cause TypeError in AdminSite.login()
--+-
 Reporter:  vvd   |   Owner:  nobody
   Status:  new   |   Milestone:
Component:  django.contrib.admin  | Version:  SVN   
 Keywords:  admin login   |   Stage:  Unreviewed
Has_patch:  1 |  
--+-
 I found that any visitor can cause a !TypeError on Django site with
 enabled contrib.admin application. This can be done by sending malformed
 authentication POST request without username parameter but with
 LOGIN_FORM_KEY. This will cause following exception in !AdminSite.login()
 function:

 {{{
 Traceback (most recent call last):

  File "/usr/local/lib/python2.5/site-
 packages/django/core/handlers/base.py", line 86, in get_response
response = callback(request, *callback_args, **callback_kwargs)

  File "/usr/local/lib/python2.5/site-
 packages/django/contrib/admin/sites.py", line 141, in root
return self.login(request)

  File "/usr/local/lib/python2.5/site-
 packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)

  File "/usr/local/lib/python2.5/site-
 packages/django/contrib/admin/sites.py", line 244, in login
if u'@' in username:

 TypeError: argument of type 'NoneType' is not iterable
 }}}

 Although there is no security threat with this error, it makes Django
 incompatible with !McAfee SECURE service. !McAfee performs a sort of
 stress testing by generating a lot of random requests with different URLs
 and form parameters which cause ~20 Django error messages to appear in
 mailbox each day.


 I've created tiny patch with fix and test. Affected versions: both trunk
 and 1.0.2

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~--~~~~--~~--~--~---