Project

General

Profile

Bug #33082

trace inutile sur fuzzing dans /login

Added by Thomas Noël 3 months ago. Updated 3 months ago.

Status:
Solution déployée
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
14 May 2019
Due date:
% Done:

0%

Patch proposed:
Yes
Planning:
No

Description

Il faudrait planter "proprement" ici (sans trace) :

Internal Server Error: /login/

KeyError at /login/
u'\xe0'

Request Method: GET
Request URL:
https://departement06.test.entrouvert.org/login/?next=%e0%40%ae%e0%40%ae%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%40%ae%e0%40%ae%e0%80%afetc%e0%80%afpasswd
Django Version: 1.11.20
Python Executable: /usr/bin/uwsgi-core
Python Version: 2.7.13
Python Path: ['.', '', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages']
Server time: mar, 14 Mai 2019 11:58:38 +0200
Installed Applications:
''
Installed Middleware:
''

Traceback:

File "/usr/lib/python2.7/dist-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _legacy_get_response
  249.             response = self._get_response(request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/usr/lib/python2.7/dist-packages/combo/public/views.py" in login
  64.                                     + urllib.quote(request.GET.get('next')))

File "/usr/lib/python2.7/urllib.py" in quote
  1299.     return ''.join(map(quoter, s))

Exception Type: KeyError at /login/
Exception Value: u'\xe0'
Request information:
USER: AnonymousUser

0001-misc-return-400-when-an-improrer-next-parameter-is-g.patch View (2.54 KB) Frédéric Péters, 02 Jun 2019 06:31 PM

Associated revisions

Revision 7aab01c9 (diff)
Added by Frédéric Péters 3 months ago

misc: return 400 when an improrer next parameter is given to login (#33082)

History

#1 Updated by Benjamin Dauvergne 3 months ago

  • Project changed from Authentic 2 to Combo

Ticket combo, pas authentic.

#2 Updated by Frédéric Péters 3 months ago

#3 Updated by Thomas Noël 3 months ago

  • Status changed from Solution proposée to Solution validée

Ah c'est marrant j'avais pas vu que le keyerror venait de urllib. Hop, merci.

#4 Updated by Frédéric Péters 3 months ago

  • Status changed from Solution validée to Résolu (à déployer)
commit 7aab01c92b90a9fac37e2d028a47e45923d4ce9a
Author: Frédéric Péters <fpeters@entrouvert.com>
Date:   Sun Jun 2 18:29:31 2019 +0200

    misc: return 400 when an improrer next parameter is given to login (#33082)

#5 Updated by Frédéric Péters 3 months ago

  • Status changed from Résolu (à déployer) to Solution déployée

Also available in: Atom PDF