Bug #8523
closed
Unauthorized users can perform DoS attacks
Added by Evgeny Novikov over 6 years ago.
Updated over 6 years ago.
Description
The issue was discovered by Alexey Khoroshilov. The corresponding error description is the following:
AttributeError at /reports/coverage-light/1829813/
'AnonymousUser' object has no attribute 'extended'
Request Method: GET
Request URL: http://ldvstore:8998/reports/coverage-light/1829813/
Django Version: 1.11.3
Exception Type: AttributeError
Exception Value:
'AnonymousUser' object has no attribute 'extended'
Exception Location: /usr/local/lib/python3.4/dist-packages/django/utils/functional.py in inner, line 239
Python Executable: /usr/bin/python3
Python Version: 3.4.2
Python Path:
['/var/www/bridge',
'/usr/local/bin',
'/usr/lib/python3.4',
'/usr/lib/python3.4/plat-x86_64-linux-gnu',
'/usr/lib/python3.4/lib-dynload',
'/usr/local/lib/python3.4/dist-packages',
'/usr/lib/python3/dist-packages']
Server time: Пн, 23 Окт 2017 16:41:24 +0000
Related issues
1 (1 open — 0 closed)
- Due date set to 10/24/2017
- Status changed from New to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
I merged the branch to master in 68ca934. In addition, I backported the fix to branch v0.2-stable since this bug can lie down production servers.
Indeed it would be great to have corresponding test cases that will try to access all possible entry points without being authorized.
- Status changed from Closed to Open
I found out another reason located almost in the same place:
[05.Dec.2017 16:18:01] Internal Server Error: /reports/ajax/get-coverage-src/
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/exception.py", line 41, in inner
response = get_response(request)
File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 249, in _legacy_get_response
response = self._get_response(request)
File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 187, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 185, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/var/www/klever-bridge/tools/profiling.py", line 133, in wait
res = f(*args, **kwargs)
File "/var/www/klever-bridge/reports/views.py", line 873, in get_coverage_src
activate(request.user.extended.language)
File "/usr/local/lib/python3.5/dist-packages/django/utils/functional.py", line 239, in inner
return func(self._wrapped, *args)
AttributeError: 'AnonymousUser' object has no attribute 'extended'
- Status changed from Open to Resolved
- Status changed from Resolved to Closed
I merged the branch to master in fd8420e. In addition, I backported the commit to branch v0.2-stable by the same reason as for the previous bug fix.
BTW, I hope that one day we will have appropriate tests. For instance, I couldn't test the last bug fix. Moreover, it was revealed unexpectedly, since this is a post request that one can't easily generate and by unknown reasons my authorization was dropped between viewing code coverage and trying to view code coverage for another file.
Also available in: Atom
PDF