diff options
author | Magnus Hagander | 2018-04-15 12:49:13 +0000 |
---|---|---|
committer | Magnus Hagander | 2018-04-15 12:49:13 +0000 |
commit | 4c1233cbfe36805fe5fb511b6746bae86cac975d (patch) | |
tree | 2486460a28f48db88439a6b51d982aaf56822ecc /pgcommitfest/commitfest/views.py | |
parent | ddf65816afb2e17f51d9279f2a4b6d7787aa0301 (diff) |
Don't crash when passing in invalid values for filters
Previously we'd throw a 500 internal server error, and cause error
logging to happen. This became evident when scripts trying to SQL-inject
the site started hitting us..
Instead, just ignore any filters that pass non-integer values into
integer fields completely.
Diffstat (limited to 'pgcommitfest/commitfest/views.py')
-rw-r--r-- | pgcommitfest/commitfest/views.py | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/pgcommitfest/commitfest/views.py b/pgcommitfest/commitfest/views.py index 68bdbef..049610f 100644 --- a/pgcommitfest/commitfest/views.py +++ b/pgcommitfest/commitfest/views.py @@ -106,7 +106,12 @@ def commitfest(request, cfid): # Build a dynamic filter based on the filtering options entered q = Q() if request.GET.has_key('status') and request.GET['status'] != "-1": - q = q & Q(patchoncommitfest__status=int(request.GET['status'])) + try: + q = q & Q(patchoncommitfest__status=int(request.GET['status'])) + except ValueError: + # int() failed -- so just ignore this filter + pass + if request.GET.has_key('author') and request.GET['author'] != "-1": if request.GET['author'] == '-2': q = q & Q(authors=None) @@ -116,7 +121,12 @@ def commitfest(request, cfid): return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path)) q = q & Q(authors=request.user) else: - q = q & Q(authors__id=int(request.GET['author'])) + try: + q = q & Q(authors__id=int(request.GET['author'])) + except ValueError: + # int() failed -- so just ignore this filter + pass + if request.GET.has_key('reviewer') and request.GET['reviewer'] != "-1": if request.GET['reviewer'] == '-2': q = q & Q(reviewers=None) @@ -126,7 +136,11 @@ def commitfest(request, cfid): return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path)) q = q & Q(reviewers=request.user) else: - q = q & Q(reviewers__id=int(request.GET['reviewer'])) + try: + q = q & Q(reviewers__id=int(request.GET['reviewer'])) + except ValueError: + # int() failed -- so just ignore this filter + pass if request.GET.has_key('text') and request.GET['text'] != '': q = q & Q(name__icontains=request.GET['text']) @@ -136,7 +150,10 @@ def commitfest(request, cfid): # Figure out custom ordering ordering = ['-is_open', 'topic__topic', 'created',] if request.GET.has_key('sortkey') and request.GET['sortkey']!='': - sortkey=int(request.GET['sortkey']) + try: + sortkey=int(request.GET['sortkey']) + except ValueError: + sortkey=0 if sortkey==1: ordering = ['-is_open', 'modified', 'created',] |