summaryrefslogtreecommitdiff
path: root/pgcommitfest/commitfest/views.py
diff options
context:
space:
mode:
authorMagnus Hagander2018-04-15 12:49:13 +0000
committerMagnus Hagander2018-04-15 12:49:13 +0000
commit4c1233cbfe36805fe5fb511b6746bae86cac975d (patch)
tree2486460a28f48db88439a6b51d982aaf56822ecc /pgcommitfest/commitfest/views.py
parentddf65816afb2e17f51d9279f2a4b6d7787aa0301 (diff)
Don't crash when passing in invalid values for filters
Previously we'd throw a 500 internal server error, and cause error logging to happen. This became evident when scripts trying to SQL-inject the site started hitting us.. Instead, just ignore any filters that pass non-integer values into integer fields completely.
Diffstat (limited to 'pgcommitfest/commitfest/views.py')
-rw-r--r--pgcommitfest/commitfest/views.py25
1 files changed, 21 insertions, 4 deletions
diff --git a/pgcommitfest/commitfest/views.py b/pgcommitfest/commitfest/views.py
index 68bdbef..049610f 100644
--- a/pgcommitfest/commitfest/views.py
+++ b/pgcommitfest/commitfest/views.py
@@ -106,7 +106,12 @@ def commitfest(request, cfid):
# Build a dynamic filter based on the filtering options entered
q = Q()
if request.GET.has_key('status') and request.GET['status'] != "-1":
- q = q & Q(patchoncommitfest__status=int(request.GET['status']))
+ try:
+ q = q & Q(patchoncommitfest__status=int(request.GET['status']))
+ except ValueError:
+ # int() failed -- so just ignore this filter
+ pass
+
if request.GET.has_key('author') and request.GET['author'] != "-1":
if request.GET['author'] == '-2':
q = q & Q(authors=None)
@@ -116,7 +121,12 @@ def commitfest(request, cfid):
return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
q = q & Q(authors=request.user)
else:
- q = q & Q(authors__id=int(request.GET['author']))
+ try:
+ q = q & Q(authors__id=int(request.GET['author']))
+ except ValueError:
+ # int() failed -- so just ignore this filter
+ pass
+
if request.GET.has_key('reviewer') and request.GET['reviewer'] != "-1":
if request.GET['reviewer'] == '-2':
q = q & Q(reviewers=None)
@@ -126,7 +136,11 @@ def commitfest(request, cfid):
return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
q = q & Q(reviewers=request.user)
else:
- q = q & Q(reviewers__id=int(request.GET['reviewer']))
+ try:
+ q = q & Q(reviewers__id=int(request.GET['reviewer']))
+ except ValueError:
+ # int() failed -- so just ignore this filter
+ pass
if request.GET.has_key('text') and request.GET['text'] != '':
q = q & Q(name__icontains=request.GET['text'])
@@ -136,7 +150,10 @@ def commitfest(request, cfid):
# Figure out custom ordering
ordering = ['-is_open', 'topic__topic', 'created',]
if request.GET.has_key('sortkey') and request.GET['sortkey']!='':
- sortkey=int(request.GET['sortkey'])
+ try:
+ sortkey=int(request.GET['sortkey'])
+ except ValueError:
+ sortkey=0
if sortkey==1:
ordering = ['-is_open', 'modified', 'created',]