From be5374c103982abdec26b33b2e6a875700ef9d6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Tue, 29 May 2018 16:34:45 +0200 Subject: [PATCH] wcs: do not crash on POST with invalid cell identifiers (#24147) --- combo/apps/wcs/views.py | 7 +++++-- tests/test_wcs.py | 11 +++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/combo/apps/wcs/views.py b/combo/apps/wcs/views.py index 10d2522..fcb0ca3 100644 --- a/combo/apps/wcs/views.py +++ b/combo/apps/wcs/views.py @@ -17,7 +17,7 @@ import urlparse from django.contrib import messages -from django.http import HttpResponseRedirect +from django.http import HttpResponseRedirect, HttpResponseBadRequest from django.utils.translation import ugettext_lazy as _ from django.views.decorators.csrf import csrf_exempt from django.views.generic import View @@ -38,7 +38,10 @@ class TrackingCodeView(View): return super(TrackingCodeView, self).dispatch(*args, **kwargs) def post(self, request, *args, **kwargs): - cell = TrackingCodeInputCell.objects.get(id=request.POST['cell']) + try: + cell = TrackingCodeInputCell.objects.get(id=request.POST['cell']) + except (ValueError, TrackingCodeInputCell.DoesNotExist): + return HttpResponseBadRequest('Invalid cell id') code = request.POST['code'] if cell.wcs_site: wcs_sites = [get_wcs_services().get(cell.wcs_site)] diff --git a/tests/test_wcs.py b/tests/test_wcs.py index 0a6bc7a..64b8e54 100644 --- a/tests/test_wcs.py +++ b/tests/test_wcs.py @@ -586,3 +586,14 @@ def test_tracking_code_cell(app): resp.form['code'] = 'CNPHNTFB' resp = resp.form.submit() assert resp.location == 'http://example.net/?foo=bar&unknown-tracking-code' + + # error handling + resp = app.get('/') + resp.form['cell'] = '0000' + resp.form['code'] = 'CNPHNTFB' + resp = resp.form.submit(status=400) + + resp = app.get('/') + resp.form['cell'] = 'xxxx' + resp.form['code'] = 'CNPHNTFB' + resp = resp.form.submit(status=400) -- 2.17.0