Closed Bug 803221 Opened 12 years ago Closed 12 years ago

500 Internal Server Error when fuzzing the /login?to= parameter

Categories

(Marketplace Graveyard :: Consumer Pages, defect)

Product:
Marketplace Graveyard
Component:
Consumer Pages
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
2012-10-25

People

(Reporter: stephend, Assigned: hschlichting)

References

(
URL
)

Details

I get a 500 when I fuzz the login param: https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F

Don't yet have a stacktrace, though.
This got caught in spam last night but you were off when I replied.  Anyway, stacktrace:

SuspiciousOperation: Unsafe redirect to http://www.google.com
Powerfuzzer: v1 BETA

Stacktrace (most recent call last):

  File "django/core/handlers/base.py", line 111, in get_response
    response = callback(request, *callback_args, **callback_kwargs)
  File "session_csrf/__init__.py", line 127, in wrapper
    response = f(request, *args, **kw)
  File "mkt/developers/views.py", line 111, in login
    return _login(request, template='developers/login.html')
  File "users/views.py", line 399, in _login
    request = _clean_next_url(request)
  File "users/views.py", line 298, in _clean_next_url
    raise SuspiciousOperation('Unsafe redirect to %s' % url)


We should just log this and fail quietly.  Hanno - want to adjust?
Assignee: nobody → hschlichting
Severity: major → normal
Target Milestone: --- → 2012-10-25
Patch created and sent in https://github.com/mozilla/zamboni/pull/465
Pull request merged.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Verified FIXED:

[09:22:57.920] GET https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F [HTTP/1.1 200 OK 452ms]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.