I'm currently testing our site for security vulnerabilities with a very limited background in security myself.
When running the following request:
http://127.0.0.1:8000/stuff/?template=%2Fe%00
I see the error (full stack trace below):
Exception Type: ValueError at /stuff/
Exception Value: A string literal cannot contain NUL (0x00) characters.
This would seem to be a problem with validating url args, and that the character 0x00 (null) shouldn't be allowed. I'm fairly sure that in google's gruyere i saw that some characters should be escaped, but it seems odd to escape null.
I could of course just try/except line 92 in /code/stuff/views.py
, but this will no doubt crop up elsewhere.
My questions are thus:
Stack trace:
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
34. response = get_response(request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
115. response = self.process_exception_by_middleware(e, request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
113. response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in view
71. return self.dispatch(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/base.py" in dispatch
97. return handler(request, *args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get
157. context = self.get_context_data()
File "/code/stuff/views.py" in get_context_data
92. context = super(StuffListView, self).get_context_data(**kwargs)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in get_context_data
119. paginator, page, queryset, is_paginated = self.paginate_queryset(queryset, page_size)
File "/usr/local/lib/python3.6/site-packages/django/views/generic/list.py" in paginate_queryset
69. page = paginator.page(page_number)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in page
70. number = self.validate_number(number)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in validate_number
48. if number > self.num_pages:
File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
80. res = instance.__dict__[self.name] = self.func(instance)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in num_pages
97. if self.count == 0 and not self.allow_empty_first_page:
File "/usr/local/lib/python3.6/site-packages/django/utils/functional.py" in __get__
80. res = instance.__dict__[self.name] = self.func(instance)
File "/usr/local/lib/python3.6/site-packages/django/core/paginator.py" in count
91. return c()
File "/usr/local/lib/python3.6/site-packages/django/db/models/query.py" in count
392. return self.query.get_count(using=self.db)
File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_count
504. number = obj.get_aggregation(using, ['__count'])['__count']
File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/query.py" in get_aggregation
489. result = compiler.execute_sql(SINGLE)
File "/usr/local/lib/python3.6/site-packages/django/db/models/sql/compiler.py" in execute_sql
1100. cursor.execute(sql, params)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
99. return super().execute(sql, params)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in execute
67. return self._execute_with_wrappers(sql, params, many=False, executor=self._execute)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute_with_wrappers
76. return executor(sql, params, many, context)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/utils.py" in _execute
84. return self.cursor.execute(sql, params)
Exception Type: ValueError at /stuff/
Exception Value: A string literal cannot contain NUL (0x00) characters.
Based on the traceback, the issue isn't that an URL argument couldn't contain %00
, but by the time it's being passed through to the database you're using, through the Paginator
, the database driver is complaining about things.
Judging by the error, you're probably using Postgres. (See this related question: Django + Postgres: A string literal cannot contain NUL (0x00) characters )
If you like, you could set up a middleware that rejects any and all request containing %00
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.