Closed
Bug 803221
Opened 12 years ago
Closed 12 years ago
500 Internal Server Error when fuzzing the /login?to= parameter
Categories
(Marketplace Graveyard :: Consumer Pages, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
2012-10-25
People
(Reporter: stephend, Assigned: hschlichting)
References
()
Details
I get a 500 when I fuzz the login param: https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F Don't yet have a stacktrace, though.
Comment 1•12 years ago
|
||
This got caught in spam last night but you were off when I replied. Anyway, stacktrace: SuspiciousOperation: Unsafe redirect to http://www.google.com Powerfuzzer: v1 BETA Stacktrace (most recent call last): File "django/core/handlers/base.py", line 111, in get_response response = callback(request, *callback_args, **callback_kwargs) File "session_csrf/__init__.py", line 127, in wrapper response = f(request, *args, **kw) File "mkt/developers/views.py", line 111, in login return _login(request, template='developers/login.html') File "users/views.py", line 399, in _login request = _clean_next_url(request) File "users/views.py", line 298, in _clean_next_url raise SuspiciousOperation('Unsafe redirect to %s' % url) We should just log this and fail quietly. Hanno - want to adjust?
Assignee: nobody → hschlichting
Severity: major → normal
Target Milestone: --- → 2012-10-25
Assignee | ||
Comment 2•12 years ago
|
||
Patch created and sent in https://github.com/mozilla/zamboni/pull/465
Assignee | ||
Comment 3•12 years ago
|
||
Pull request merged.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•12 years ago
|
||
Verified FIXED: [09:22:57.920] GET https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F [HTTP/1.1 200 OK 452ms]
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•