Closed
Bug 647342
Opened 14 years ago
Closed 14 years ago
Unvalidated GET parameters in views.py
Categories
(Websites Graveyard :: markup.mozilla.org, defect)
Websites Graveyard
markup.mozilla.org
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: wenzel, Assigned: adam)
Details
In markup.views.community:
if 'offset' in request.GET:
offset = int(request.GET['offset'])
per_page = int(request.GET['per_page'])
This will error out and throw a 500 page in two cases: If offset or per_page is not a number, and if offset is present but per_page is not.
Feel free to just throw an error 400 if you catch any of these errors (unless, of course, this is a use case the user can legitimately reach by making an error other than messing with the URL).
Reporter | ||
Comment 1•14 years ago
|
||
Also keep in mind that if the user inputs something like offset=1&per_page=-12, these two lines will pass, but the request will fail further down in this function, when all this is stuffed into the model. Catch that too, please.
Updated•14 years ago
|
Assignee: nobody → adam
Assignee | ||
Comment 2•14 years ago
|
||
I believe this was fixed here: https://github.com/mozilla/markup/commit/a21465606e4a5e33feefa56835eb53386e415cc5
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 5•14 years ago
|
||
Fantastic! Thanks Fred.
Updated•3 years ago
|
Product: Websites → Websites Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•