Closed Bug 565581 Opened 14 years ago Closed 14 years ago

[k] ValueError: invalid literal for int() with base 10 trying to post SQL-injection statements

Categories

(support.mozilla.org :: Forum, task)

Product:
support.mozilla.org
Component:
Forum
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: stephend, Assigned: rrosario)

References

(
URL
)

Details

I was using https://addons.mozilla.org/en-US/firefox/addon/7597/ (SQL Inject Me) on https://support-stage-new.mozilla.com/en-US/forums/test-forum/1?page=3, and it apparently generated all these exceptions:

Traceback (most recent call last):

  File "/data/virtualenvs/kitsune/src/django/django/core/handlers/base.py", line 101, in get_response
    response = callback(request, *callback_args, **callback_kwargs)

  File "/data/www/support-stage-new.mozilla.com/kitsune/apps/forums/views.py", line 102, in reply
    if form.is_valid():

  File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 120, in is_valid
    return self.is_bound and not bool(self.errors)

  File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 111, in _get_errors
    self.full_clean()

  File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 266, in full_clean
    self._clean_fields()

  File "/data/virtualenvs/kitsune/src/django/django/forms/models.py", line 308, in _clean_fields
    super(BaseModelForm, self)._clean_fields()

  File "/data/virtualenvs/kitsune/src/django/django/forms/forms.py", line 282, in _clean_fields
    value = field.clean(value)

  File "/data/virtualenvs/kitsune/src/django/django/forms/fields.py", line 154, in clean
    value = self.to_python(value)

  File "/data/virtualenvs/kitsune/src/django/django/forms/models.py", line 964, in to_python
    value = self.queryset.get(**{key: value})

  File "/data/virtualenvs/kitsune/src/django/django/db/models/query.py", line 331, in get
    clone = self.filter(*args, **kwargs)

  File "/data/virtualenvs/kitsune/src/django/django/db/models/query.py", line 545, in filter
    return self._filter_or_exclude(False, *args, **kwargs)

  File "/data/virtualenvs/kitsune/src/django/django/db/models/query.py", line 563, in _filter_or_exclude
    clone.query.add_q(Q(*args, **kwargs))

  File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/query.py", line 1100, in add_q
    can_reuse=used_aliases)

  File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/query.py", line 1040, in add_filter
    connector)

  File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/where.py", line 66, in add
    value = obj.prepare(lookup_type, value)

  File "/data/virtualenvs/kitsune/src/django/django/db/models/sql/where.py", line 275, in prepare
    return self.field.get_prep_lookup(lookup_type, value)

  File "/data/virtualenvs/kitsune/src/django/django/db/models/fields/__init__.py", line 318, in get_prep_lookup
    return self.get_prep_value(value)

  File "/data/virtualenvs/kitsune/src/django/django/db/models/fields/__init__.py", line 500, in get_prep_value
    return int(value)

ValueError: invalid literal for int() with base 10: '371552815545;'
Target Milestone: --- → 2.1
The solution, from bug 565577: The author ID and thread ID information should be collected in the view from the request, not taken from the form.

Dropping the fields from the form will eliminate this issue.
Assignee: nobody → rrosario
http://github.com/rlr/kitsune/commit/fa4537b2c9e6824846ac198aee26ae226b4518fb
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
I spun off bug 567215; will re-create a dataset that can be used to verify this bug and then re-verify it.
Verified FIXED; ran my XSS Me tool again on the forums, and never saw this error.

Thanks, Ricky!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.