Opened 7 years ago
Closed 7 years ago
#29179 closed Bug (wontfix)
format_html() can falsely interpret a strack trace as a str.format replacement field
| Reported by: | Stephan Michaud | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | 1.10 |
| Severity: | Normal | Keywords: | format_html, string |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hi team,
We have an internal page where we display stack traces on a web page. We've been using the format_html before rendering the data to the template, which has worked well in the past.
However, one of the stack traces contained a dictionary definition as such:
data = urllib.parse.urlencode({'request': self.get_serialized_data()})
Once that string reached the format_html function, it would cause the following Exception:
KeyError: "'request'"
due to the call to format() recognizing the dictionary as a replacement field.
Change History (5)
comment:1 by , 7 years ago
| Type: | Uncategorized → Bug |
|---|
follow-up: 3 comment:2 by , 7 years ago
| Component: | Uncategorized → Utilities |
|---|---|
| Summary: | calling format_html can falsely interpret a strack trace as a str.format replacement field → format_html() can falsely interpret a strack trace as a str.format replacement field |
comment:3 by , 7 years ago
Replying to Tim Graham:
Could you give a minimal example that reproduces the issue (i.e. give the minimal string from the traceback and the arguments for
format_html())?
Sure! Here's the string passed in to format_html():
<div class="ui-state-default ui-corner-all show_node" style="cursor:pointer;padding:4px;min-width:50px">show</div><div class="hidden_menu">Traceback (most recent call last): File "/home/tool/www/project/common/utils.py", line 52, in inner ret = func(*args, **kwargs) File "/home/tool/www/project/servers/management/commands/servers_getindexation.py", line 31, in handle server.fetch_content() File "/home/tool/www/project/common/abstract_models.py", line 289, in fetch_content get=params[1], File "/home/tool/www/project/proxies/models.py", line 99, in append_process process.get_proxy_response() File "/home/tool/www/project/proxies/models.py", line 254, in get_proxy_response data = urllib.parse.urlencode({'request': self.get_serialized_data()}) File "/home/tool/www/project/proxies/models.py", line 216, in get_serialized_data 'useragent': self.request_useragent, File "/home/tool/venv/lib/python3.5/base64.py", line 59, in b64encode encoded = binascii.b2a_base64(s)[:-1] TypeError: a bytes-like object is required, not 'str' </div>
comment:4 by , 7 years ago
Oh, I see. Well, I'm not sure there's much Django can do about that. Did you consider escaping the traceback before passing it to format_html()?
comment:5 by , 7 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Could you give a minimal example that reproduces the issue (i.e. give the minimal string from the traceback and the arguments for
format_html())?