Closed Bug 647342 Opened 14 years ago Closed 14 years ago

Unvalidated GET parameters in views.py

Categories

(Websites Graveyard :: markup.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: wenzel, Assigned: adam)

Details

In markup.views.community: if 'offset' in request.GET: offset = int(request.GET['offset']) per_page = int(request.GET['per_page']) This will error out and throw a 500 page in two cases: If offset or per_page is not a number, and if offset is present but per_page is not. Feel free to just throw an error 400 if you catch any of these errors (unless, of course, this is a use case the user can legitimately reach by making an error other than messing with the URL).
Also keep in mind that if the user inputs something like offset=1&per_page=-12, these two lines will pass, but the request will fail further down in this function, when all this is stuffed into the model. Catch that too, please.
Assignee: nobody → adam
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Fred, can you review the code fix in comment 2? Thanks.
Yup, looks good.
Status: RESOLVED → VERIFIED
Fantastic! Thanks Fred.
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.