DjangoBB

Django based forum engine

  • You are not logged in.
  • Root
  • » Bugs
  • » Invalid GET parameters in search show_user raises exceptions [RSS Feed]

#1 March 16, 2012 14:39:03

gerdemb
Registered: 2012-03-16
Posts: 2
Reputation: +  0  -
Profile   Send e-mail  

Invalid GET parameters in search show_user raises exceptions

Good morning,

My site recently received a request like this: /forum/search/?action=show_user&user_id=GARBAGE

Eventually, in the database backend code, this raised a ValueError exception where the GET parameter was converted to an int. If the GET parameters are non-sensical then I think they should either be ignored or a HttpResponseNotFound 404 error raised depending on if it's possible to proceed. Quickly browsing through the view.py code, I saw a number of cases where GET parameters are used without any error checking. For example:

user_id = request.GET
forum = request.GET.get('forum')
post_id = request.GET

etc. etc.

Although Django is supposed to guard from SQL injection attacks, it makes me nervous to see GET parameters used directly in database queries without any error checking first.

Otherwise enjoying using your forum on my site!

Cheers,
Ben

Offline

  • Root
  • » Bugs
  • » Invalid GET parameters in search show_user raises exceptions[RSS Feed]

Board footer

Moderator control

Powered by DjangoBB

Lo-Fi Version