[traceback] 500 Error: ValueError: invalid literal for int() with base 10: '20"'

VERIFIED DUPLICATE of bug 904862

Status

Product:
Participation Infrastructure
Component:
Phonebook
Status:
VERIFIED DUPLICATE of bug 904862
Reported:
6 years ago
Modified:
5 years ago

People

(Reporter: mbrandt, Unassigned)

Tracking

Details
(Reporter)

Description

6 years ago 
Production apparently got fuzzed by someone - here are a list of urls that produce 500 errors for ValueError.

/en-US/search/?limit=20';select%20pg_sleep(7.55);%20--%20&page=31&q=
/en-US/search/?limit=20%22;%20waitfor%20delay%20%270:0:7.55%27%20--%20&page=21&q=
/en-US/search/?limit=20'%2b(select%201%20from%20(select%20sleep(7.55))A)%2b'&page=26&q=
/en-US/search/?limit=20';%20waitfor%20delay%20'0:0:4'%20--%20&page=12&q=
/en-US/search/?limit=20%22%3dsleep(4)%3d%22&page=4&q=
/en-US/search/?limit=20';select%20pg_sleep(4);%20--%20&page=12&q=

Steps to reproduce:
1. goto https://mozillians.org/en-US/search/?limit=20%22;%20waitfor%20delay%20%270:0:7.55%27%20--%20&page=21&q=

Actual:
Returns a 500 ValueError Error

Traceback (most recent call last):

  File "/data/www/mozillians.org/mozillians/vendor/src/django/django/core/handlers/base.py", line 111, in get_response
    response = callback(request, *callback_args, **callback_kwargs)

  File "/usr/lib64/python2.6/site-packages/newrelic-1.10.2.38/newrelic/api/object_wrapper.py", line 220, in __call__
    self._nr_instance, args, kwargs)

  File "/usr/lib64/python2.6/site-packages/newrelic-1.10.2.38/newrelic/hooks/framework_django.py", line 475, in wrapper
    return wrapped(*args, **kwargs)

  File "/data/www/mozillians.org/mozillians/apps/phonebook/views.py", line 176, in search
    if form.is_valid():

  File "/data/www/mozillians.org/mozillians/vendor/src/django/django/forms/forms.py", line 124, in is_valid
    return self.is_bound and not bool(self.errors)

  File "/data/www/mozillians.org/mozillians/vendor/src/django/django/forms/forms.py", line 115, in _get_errors
    self.full_clean()

  File "/data/www/mozillians.org/mozillians/vendor/src/django/django/forms/forms.py", line 270, in full_clean
    self._clean_fields()

  File "/data/www/mozillians.org/mozillians/vendor/src/happyforms/happyforms/__init__.py", line 32, in _clean_fields
    value = getattr(self, 'clean_%s' % name)()

  File "/data/www/mozillians.org/mozillians/apps/phonebook/forms.py", line 33, in clean_limit
    elif not REGEX_NUMERIC.match(str(limit)) or int(limit) < 1:

ValueError: invalid literal for int() with base 10: '20"'
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 904862
 (Reporter)

Comment 2

5 years ago 
Rightly so -- verified duplicate
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.