TypeError: strptime() argument 1 must be string without null bytes, not unicode

VERIFIED FIXED

Status

Socorro
Webapp
--
major
VERIFIED FIXED
4 years ago
2 years ago

People

(Reporter: stephend, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzer], URL)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
STR:

Load https://crash-stats.allizom.org/search/results/?date=http%3a%2f%2fnetsparker.com%2fn%3f%00.php&_facets=signature&_columns=platform

Actual:

Internal Server Error

TypeError: strptime() argument 1 must be string without null bytes, not unicode

Stacktrace (most recent call last):

  File "django/core/handlers/base.py", line 111, in get_response
    response = callback(request, *callback_args, **callback_kwargs)
  File "waffle/decorators.py", line 36, in _wrapped_view
    return view(request, *args, **kwargs)
  File "crashstats/supersearch/views.py", line 109, in search_results
    if not form.is_valid():
  File "django/forms/forms.py", line 124, in is_valid
    return self.is_bound and not bool(self.errors)
  File "django/forms/forms.py", line 115, in _get_errors
    self.full_clean()
  File "django/forms/forms.py", line 270, in full_clean
    self._clean_fields()
  File "django/forms/forms.py", line 287, in _clean_fields
    value = field.clean(value)
  File "crashstats/supersearch/form_fields.py", line 79, in clean
    **kwargs
  File "crashstats/supersearch/form_fields.py", line 43, in clean
    cleaned_value = super(PrefixedField, self).clean(*args, **kwargs)
  File "django/forms/fields.py", line 153, in clean
    value = self.to_python(value)
  File "crashstats/supersearch/form_fields.py", line 40, in to_python
    return super(PrefixedField, self).to_python(value)
  File "django/forms/fields.py", line 437, in to_python
    result = super(DateTimeField, self).to_python(value)
  File "django/forms/fields.py", line 342, in to_python
    return self.strptime(value, format)
  File "django/forms/fields.py", line 441, in strptime
    return datetime.datetime.strptime(value, format)
This is from fuzzing, right? I feel like WONTFIX'ing that bug, I don't expect users to ever put null bytes in the date field...
(Reporter)

Comment 2

4 years ago
(In reply to Adrian Gaudebert [:adrian] from comment #1)
> This is from fuzzing, right? I feel like WONTFIX'ing that bug, I don't
> expect users to ever put null bytes in the date field...

We spent/spend a lot of work fixing fuzzer bugs, both here and in pretty much every other Webdev project -- it's good practice to safe-guard against bad user input, IMHO.
Whiteboard: [fuzzer]
(Reporter)

Comment 3

4 years ago
(Also, I don't understand why bug 885430 would be/has been addressed, as it's also a fuzzer bug, but this bug would be questioned?)
So, the difference between this bug and bug 885430 is that there is no bug in our code here. Bug 885430 was allowing an edge-case where we would perform an invalid comparison. The problem here happens in code that we have no control over. 

However, we could probably raise a different error when this happens. Instead of a 500, we could show a 400 error with a note on what was wrong. I'll look into it.
Now you do get a nice 400 error on that URL.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

2 years ago
Verified FIXED; thanks.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 7

2 years ago
Created attachment 8665184 [details]
Post-fix screenshot
You need to log in before you can comment on or make changes to this bug.