Don't crash when passing in invalid values for filters

Previously we'd throw a 500 internal server error, and cause error logging to happen. This became evident when scripts trying to SQL-inject the site started hitting us.. Instead, just ignore any filters that pass non-integer values into integer fields completely.
author: Magnus Hagander 2018-04-15 12:49:13 +0000
committer: Magnus Hagander 2018-04-15 12:49:13 +0000
commit: 4c1233cbfe36805fe5fb511b6746bae86cac975d (patch)
tree: 2486460a28f48db88439a6b51d982aaf56822ecc /pgcommitfest/commitfest/views.py
parent: ddf65816afb2e17f51d9279f2a4b6d7787aa0301 (diff)
1 files changed, 21 insertions, 4 deletions
diff --git a/pgcommitfest/commitfest/views.py b/pgcommitfest/commitfest/views.py
index 68bdbef..049610f 100644
--- a/pgcommitfest/commitfest/views.py
+++ b/pgcommitfest/commitfest/views.py
@@ -106,7 +106,12 @@ def commitfest(request, cfid):
 	# Build a dynamic filter based on the filtering options entered
 	q = Q()
 	if request.GET.has_key('status') and request.GET['status'] != "-1":
-		q = q & Q(patchoncommitfest__status=int(request.GET['status']))
+		try:
+			q = q & Q(patchoncommitfest__status=int(request.GET['status']))
+		except ValueError:
+			# int() failed -- so just ignore this filter
+			pass
+
 	if request.GET.has_key('author') and request.GET['author'] != "-1":
 		if request.GET['author'] == '-2':
 			q = q & Q(authors=None)
@@ -116,7 +121,12 @@ def commitfest(request, cfid):
 				return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
 			q = q & Q(authors=request.user)
 		else:
-			q = q & Q(authors__id=int(request.GET['author']))
+			try:
+				q = q & Q(authors__id=int(request.GET['author']))
+			except ValueError:
+				# int() failed -- so just ignore this filter
+				pass
+
 	if request.GET.has_key('reviewer') and request.GET['reviewer'] != "-1":
 		if request.GET['reviewer'] == '-2':
 			q = q & Q(reviewers=None)
@@ -126,7 +136,11 @@ def commitfest(request, cfid):
 				return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
 			q = q & Q(reviewers=request.user)
 		else:
-			q = q & Q(reviewers__id=int(request.GET['reviewer']))
+			try:
+				q = q & Q(reviewers__id=int(request.GET['reviewer']))
+			except ValueError:
+				# int() failed -- so just ignore this filter
+				pass
 
 	if request.GET.has_key('text') and request.GET['text'] != '':
 		q = q & Q(name__icontains=request.GET['text'])
@@ -136,7 +150,10 @@ def commitfest(request, cfid):
 	# Figure out custom ordering
 	ordering = ['-is_open', 'topic__topic', 'created',]
 	if request.GET.has_key('sortkey') and request.GET['sortkey']!='':
-		sortkey=int(request.GET['sortkey'])
+		try:
+			sortkey=int(request.GET['sortkey'])
+		except ValueError:
+			sortkey=0
 
 		if sortkey==1:
 			ordering = ['-is_open', 'modified', 'created',]
author	Magnus Hagander	2018-04-15 12:49:13 +0000
committer	Magnus Hagander	2018-04-15 12:49:13 +0000
commit	4c1233cbfe36805fe5fb511b6746bae86cac975d (patch)
tree	2486460a28f48db88439a6b51d982aaf56822ecc /pgcommitfest/commitfest/views.py
parent	ddf65816afb2e17f51d9279f2a4b6d7787aa0301 (diff)