Modify

Opened 6 years ago

Closed 5 years ago

#12253 closed defect (fixed)

Doesn't protect again invalid input

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Component: VotePlugin
Severity: normal Keywords:
Cc: Steffen Hoffmann Trac Release:

Description

The following is frequently seen in the logs:

Traceback (most recent call last):
  File "/path/to/pve/lib/python2.6/site-packages/Trac-1.0.5-py2.6.egg/trac/web/main.py", line 251, in dispatch
    self._post_process_request(req)
  File "/path/to/pve/lib/python2.6/site-packages/Trac-1.0.5-py2.6.egg/trac/web/main.py", line 349, in _post_process_request
    f.post_process_request(req, *(None,)*extra_arg_count)
  File "/path/to/pve/lib/python2.6/site-packages/TracVote-0.3dev_r14352-py2.6.egg/tracvote/__init__.py", line 435, in post_process_request
    resource_from_path(self.env, req.path_info):
  File "/path/to/pve/lib/python2.6/site-packages/TracVote-0.3dev_r14352-py2.6.egg/tracvote/__init__.py", line 141, in resource_from_path
    elif resource_exists(env, resource) in (None, True):
  File "/path/to/pve/lib/python2.6/site-packages/Trac-1.0.5-py2.6.egg/trac/resource.py", line 454, in resource_exists
    return manager.resource_exists(resource)
  File "/path/to/pve/lib/python2.6/site-packages/Trac-1.0.5-py2.6.egg/trac/ticket/api.py", line 601, in resource_exists
    (resource.id,)):
  File "/path/to/pve/lib/python2.6/site-packages/Trac-1.0.5-py2.6.egg/trac/db/api.py", line 123, in execute
    return db.execute(query, params)
  File "/path/to/pve/lib/python2.6/site-packages/Trac-1.0.5-py2.6.egg/trac/db/util.py", line 128, in execute
    cursor.execute(query, params if params is not None else [])
  File "/path/to/pve/lib/python2.6/site-packages/Trac-1.0.5-py2.6.egg/trac/db/util.py", line 72, in execute
    return self.cursor.execute(sql_escape_percent(sql), args)
DataError: invalid input syntax for integer: ""
LINE 1: SELECT id FROM ticket WHERE id=E''
                                       ^
DataError: invalid input syntax for integer: ""
LINE 1: SELECT id FROM ticket WHERE id=E''

Attachments (0)

Change History (5)

comment:1 Changed 6 years ago by Ryan J Ollos

Status: newaccepted

comment:2 Changed 5 years ago by Ryan J Ollos

Cc: Steffen Hoffmann added
Keywords: hasienda removed

I'm considering fixing this in the Trac API: trac:#12076.

comment:3 Changed 5 years ago by Ryan J Ollos

Even if fixed in trac:milestone:1.0.7, it is probably worth implementing a fix for Trac < 1.0.7. I'm considering a simple fix, such as:

def _resource_exists(env, resource):
    try:
        return resource_exists(env, resource)
    except env.db_exc.DatabaseError:
        return False

No exception is raised for SQLite or MySQL.

Last edited 5 years ago by Ryan J Ollos (previous) (diff)

comment:4 Changed 5 years ago by Ryan J Ollos

I'll make the change described in comment:3 now that refactoring has been done in [14591].

comment:5 Changed 5 years ago by Ryan J Ollos

Resolution: fixed
Status: acceptedclosed

In 14592:

0.3dev: Trap exceptions from resource_exists.

This avoids a traceback in the logs from invalid ticket IDs (e.g. /ticket/a). Fixes #12253.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.