Opened 7 years ago

Closed 7 years ago

#29179 closed Bug (wontfix)

format_html() can falsely interpret a strack trace as a str.format replacement field

Reported by: Stephan Michaud Owned by: nobody
Component: Utilities Version: 1.10
Severity: Normal Keywords: format_html, string
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi team,

We have an internal page where we display stack traces on a web page. We've been using the format_html before rendering the data to the template, which has worked well in the past.
However, one of the stack traces contained a dictionary definition as such:

data = urllib.parse.urlencode({'request': self.get_serialized_data()})

Once that string reached the format_html function, it would cause the following Exception:

KeyError: "'request'"

due to the call to format() recognizing the dictionary as a replacement field.

Change History (5)

comment:1 by Stephan Michaud, 7 years ago

Type: UncategorizedBug

comment:2 by Tim Graham, 7 years ago

Component: UncategorizedUtilities
Summary: calling format_html can falsely interpret a strack trace as a str.format replacement fieldformat_html() can falsely interpret a strack trace as a str.format replacement field

Could you give a minimal example that reproduces the issue (i.e. give the minimal string from the traceback and the arguments for format_html())?

in reply to:  2 comment:3 by Stephan Michaud, 7 years ago

Replying to Tim Graham:

Could you give a minimal example that reproduces the issue (i.e. give the minimal string from the traceback and the arguments for format_html())?

Sure! Here's the string passed in to format_html():

<div class="ui-state-default ui-corner-all show_node" style="cursor:pointer;padding:4px;min-width:50px">show</div><div class="hidden_menu">Traceback (most recent call last):
File "/home/tool/www/project/common/utils.py", line 52, in inner
ret = func(*args, **kwargs)
File "/home/tool/www/project/servers/management/commands/servers_getindexation.py", line 31, in handle
server.fetch_content()
File "/home/tool/www/project/common/abstract_models.py", line 289, in fetch_content
get=params[1],
File "/home/tool/www/project/proxies/models.py", line 99, in append_process
process.get_proxy_response()
File "/home/tool/www/project/proxies/models.py", line 254, in get_proxy_response
data = urllib.parse.urlencode({'request': self.get_serialized_data()})
File "/home/tool/www/project/proxies/models.py", line 216, in get_serialized_data
'useragent': self.request_useragent,
File "/home/tool/venv/lib/python3.5/base64.py", line 59, in b64encode
encoded = binascii.b2a_base64(s)[:-1]
TypeError: a bytes-like object is required, not 'str'
</div>

comment:4 by Tim Graham, 7 years ago

Oh, I see. Well, I'm not sure there's much Django can do about that. Did you consider escaping the traceback before passing it to format_html()?

comment:5 by Tim Graham, 7 years ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top