Closed Bug 733520 Opened 13 years ago Closed 13 years ago

django forms aren't escaped on bedrock-dev

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jlong, Assigned: jlong)

References

Details

This is a little strange, but django forms aren't being escaped on the bedrock-dev site: https://www-dev.allizom.org/en-US/apps/ It works fine locally. Someone pointed me to the monkeypatches at funfactory runs: https://github.com/mozilla/funfactory/blob/master/funfactory/monkeypatches.py The safe_django_forms.patch() is the thing that should be happening. Can you check the logs to make sure that the string "Note: funfactory monkey patches executed in ..." is being logged so see if the patches are being applied?
I'm not sure where this would be logged... any ideas? I don't see anything in the error_log for www-dev.allizom.org that looks like django-ish... mostly just file-does-not-exist and various PHP warnings/errors. I do see that file in ./vendor/src/funfactory/funfactory/monkeypatches.py... so it does at least exist on the system.
Assignee: server-ops → bburton
I'll try to get this figured out on Monday
Status: NEW → ASSIGNED
I've temporarily forced the forms to be escaped with the `safe` filter, but it's a little concerning that the monkeypatch wasn't working. I wonder if there are other patches that aren't being applied. Once you get to work on this, let me know and I can come up with a test case.
As I understand it, it's not certain that that monkeypatch is actually not being applied, there could be another way in which, perhaps, Jinja2 isn't working the way it should. Post-release, if it helps, we could also give James access to the dev server to try and poke around a django shell on the actual server.
(In reply to Fred Wenzel [:wenzel] from comment #5) > Post-release, if it helps, we could also give James access to the dev server > to try and poke around a django shell on the actual server. Good idea, he should have already been there. I just added him to the user list, should make its way to the webheads within the next 20-40 mins.
Thanks! I'll look around after tomorrow's push.
Ok, the monkey patches are definitely not being applied. I can't believe I didn't notice this before, but we're getting CSRF errors on the forms, and the CSRF library is a monkey patch. We need to fix this today so QA can test the forms for tomorrows push. Which server do I ssh to?
Either of bedrock[1-2].dev.seamicro.phx1.mozilla.com will be serving the dev site If you do something like the following curl, you can test one server directly and watch logs curl -H "Host: www.mozilla.org" -v bedrock1.dev.seamicro.phx1.mozilla.com:81/ :81 serves the SSL site, but SSL is terminated on the LB, hence the port number trick, but not HTTPS in the url
Were you able to find anything out on this? Do you require additional help from me/webops?
Let us know if you need additional assistance from webops
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Yeah AFAIK the issue is not resolved yet. I'm assigning this to James, he should work on a django shell on -dev to find out where what's missing here.
Assignee: bburton → jlong
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Fred Wenzel [:wenzel] from comment #12) > Yeah AFAIK the issue is not resolved yet. I'm assigning this to James, he > should work on a django shell on -dev to find out where what's missing here. I did do that, and I don't see anything out of the ordinary. Without the power to add a "import pdb; pdb.set_trace()" and step through the server, I can't figure out anything. Could IT possibly do that? Add a trace at the top of manage.py and step through to see if the monkeypatch is being applied? I'm kinda stumped as to what else to do.
Can we give James root on that box for a period of time?
peterbe determined that the monkeypatches are not being run from within the wsgi interface. James, looks like this is next on your plate to put those monkeypatches into urls.py :)
Severity: normal → critical
Status: REOPENED → NEW
That has been fixed by updating playdoh and incorporating the patches myself. Finally!
Status: NEW → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Woot! Did you remove the occurrences of |safe that you had to add previously because this was broken?
Nope, but I can do that now too.
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.