Closed
Bug 565581
Opened 14 years ago
Closed 14 years ago
[k] ValueError: invalid literal for int() with base 10 trying to post SQL-injection statements
Categories
(support.mozilla.org :: Forum, task)
Tracking
(Not tracked)
VERIFIED
FIXED
2.1
People
(Reporter: stephend, Assigned: rrosario)
References
()
Details
I was using https://addons.mozilla.org/en-US/firefox/addon/7597/ (SQL Inject Me) on https://support-stage-new.mozilla.com/en-US/forums/test-forum/1?page=3, and it apparently generated all these exceptions: Traceback (most recent call last): File "/data/virtualenvs/kitsune/src/django/django/core/handlers/base.py", line 101, in get_response response = callback(request, *callback_args, **callback_kwargs) File "/data/www/support-stage-new.mozilla.com/kitsune/apps/forums/views.py", line 102, in reply if form.is_valid(): File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 120, in is_valid return self.is_bound and not bool(self.errors) File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 111, in _get_errors self.full_clean() File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 266, in full_clean self._clean_fields() File "/data/virtualenvs/kitsune/src/django/django/forms/models.py", line 308, in _clean_fields super(BaseModelForm, self)._clean_fields() File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 282, in _clean_fields value = field.clean(value) File "/data/virtualenvs/kitsune/src/django/django/forms/fields.py", line 154, in clean value = self.to_python(value) File "/data/virtualenvs/kitsune/src/django/django/forms/models.py", line 964, in to_python value = self.queryset.get(**{key: value}) File "/data/virtualenvs/kitsune/src/django/django/db/models/query.py", line 331, in get clone = self.filter(*args, **kwargs) File "/data/virtualenvs/kitsune/src/django/django/db/models/query.py", line 545, in filter return self._filter_or_exclude(False, *args, **kwargs) File "/data/virtualenvs/kitsune/src/django/django/db/models/query.py", line 563, in _filter_or_exclude clone.query.add_q(Q(*args, **kwargs)) File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/query.py", line 1100, in add_q can_reuse=used_aliases) File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/query.py", line 1040, in add_filter connector) File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/where.py", line 66, in add value = obj.prepare(lookup_type, value) File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/where.py", line 275, in prepare return self.field.get_prep_lookup(lookup_type, value) File "/data/virtualenvs/kitsune/src/django/django/db/models/fields/__init__.py", line 318, in get_prep_lookup return self.get_prep_value(value) File "/data/virtualenvs/kitsune/src/django/django/db/models/fields/__init__.py", line 500, in get_prep_value return int(value) ValueError: invalid literal for int() with base 10: '371552815545;'
Reporter | ||
Updated•14 years ago
|
Target Milestone: --- → 2.1
Comment 2•14 years ago
|
||
The solution, from bug 565577: The author ID and thread ID information should be collected in the view from the request, not taken from the form. Dropping the fields from the form will eliminate this issue.
Updated•14 years ago
|
Assignee: nobody → rrosario
Assignee | ||
Comment 3•14 years ago
|
||
http://github.com/rlr/kitsune/commit/fa4537b2c9e6824846ac198aee26ae226b4518fb
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•14 years ago
|
||
I spun off bug 567215; will re-create a dataset that can be used to verify this bug and then re-verify it.
Reporter | ||
Comment 5•14 years ago
|
||
Verified FIXED; ran my XSS Me tool again on the forums, and never saw this error. Thanks, Ricky!
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•