Bug #8523
closedUnauthorized users can perform DoS attacks
100%
Description
The issue was discovered by Alexey Khoroshilov. The corresponding error description is the following:
AttributeError at /reports/coverage-light/1829813/ 'AnonymousUser' object has no attribute 'extended' Request Method: GET Request URL: http://ldvstore:8998/reports/coverage-light/1829813/ Django Version: 1.11.3 Exception Type: AttributeError Exception Value: 'AnonymousUser' object has no attribute 'extended' Exception Location: /usr/local/lib/python3.4/dist-packages/django/utils/functional.py in inner, line 239 Python Executable: /usr/bin/python3 Python Version: 3.4.2 Python Path: ['/var/www/bridge', '/usr/local/bin', '/usr/lib/python3.4', '/usr/lib/python3.4/plat-x86_64-linux-gnu', '/usr/lib/python3.4/lib-dynload', '/usr/local/lib/python3.4/dist-packages', '/usr/lib/python3/dist-packages'] Server time: Пн, 23 Окт 2017 16:41:24 +0000
Updated by Vladimir Gratinskiy about 7 years ago
- Due date set to 10/24/2017
- Status changed from New to Resolved
- % Done changed from 0 to 100
Fixed in fix_8523.
Updated by Evgeny Novikov about 7 years ago
- Status changed from Resolved to Closed
I merged the branch to master in 68ca934. In addition, I backported the fix to branch v0.2-stable since this bug can lie down production servers.
Indeed it would be great to have corresponding test cases that will try to access all possible entry points without being authorized.
Updated by Evgeny Novikov about 7 years ago
- Status changed from Closed to Open
I found out another reason located almost in the same place:
[05.Dec.2017 16:18:01] Internal Server Error: /reports/ajax/get-coverage-src/ Traceback (most recent call last): File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/exception.py", line 41, in inner response = get_response(request) File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 249, in _legacy_get_response response = self._get_response(request) File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 187, in _get_response response = self.process_exception_by_middleware(e, request) File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 185, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/var/www/klever-bridge/tools/profiling.py", line 133, in wait res = f(*args, **kwargs) File "/var/www/klever-bridge/reports/views.py", line 873, in get_coverage_src activate(request.user.extended.language) File "/usr/local/lib/python3.5/dist-packages/django/utils/functional.py", line 239, in inner return func(self._wrapped, *args) AttributeError: 'AnonymousUser' object has no attribute 'extended'
Updated by Vladimir Gratinskiy about 7 years ago
- Status changed from Open to Resolved
Fixed in fix_8523.
Updated by Evgeny Novikov about 7 years ago
- Status changed from Resolved to Closed
I merged the branch to master in fd8420e. In addition, I backported the commit to branch v0.2-stable by the same reason as for the previous bug fix.
BTW, I hope that one day we will have appropriate tests. For instance, I couldn't test the last bug fix. Moreover, it was revealed unexpectedly, since this is a post request that one can't easily generate and by unknown reasons my authorization was dropped between viewing code coverage and trying to view code coverage for another file.