500 Internal Server Error when fuzzing the /login?to= parameter

VERIFIED FIXED in 2012-10-25

Status

Marketplace
Consumer Pages
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: stephend, Assigned: Hanno Schlichting)

Tracking

2012-10-25
Points:
---

Details

(URL)

I get a 500 when I fuzz the login param: https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F

Don't yet have a stacktrace, though.
This got caught in spam last night but you were off when I replied.  Anyway, stacktrace:

SuspiciousOperation: Unsafe redirect to http://www.google.com
Powerfuzzer: v1 BETA

Stacktrace (most recent call last):

  File "django/core/handlers/base.py", line 111, in get_response
    response = callback(request, *callback_args, **callback_kwargs)
  File "session_csrf/__init__.py", line 127, in wrapper
    response = f(request, *args, **kw)
  File "mkt/developers/views.py", line 111, in login
    return _login(request, template='developers/login.html')
  File "users/views.py", line 399, in _login
    request = _clean_next_url(request)
  File "users/views.py", line 298, in _clean_next_url
    raise SuspiciousOperation('Unsafe redirect to %s' % url)


We should just log this and fail quietly.  Hanno - want to adjust?
Assignee: nobody → hschlichting
Severity: major → normal
Target Milestone: --- → 2012-10-25
(Assignee)

Comment 2

6 years ago
Patch created and sent in https://github.com/mozilla/zamboni/pull/465
(Assignee)

Comment 3

6 years ago
Pull request merged.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Verified FIXED:

[09:22:57.920] GET https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F [HTTP/1.1 200 OK 452ms]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.