From 4c1233cbfe36805fe5fb511b6746bae86cac975d Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sun, 15 Apr 2018 14:49:13 +0200
Subject: [PATCH] Don't crash when passing in invalid values for filters

Previously we'd throw a 500 internal server error, and cause error
logging to happen. This became evident when scripts trying to SQL-inject
the site started hitting us..

Instead, just ignore any filters that pass non-integer values into
integer fields completely.
---
 pgcommitfest/commitfest/views.py | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/pgcommitfest/commitfest/views.py b/pgcommitfest/commitfest/views.py
index 68bdbef..049610f 100644
--- a/pgcommitfest/commitfest/views.py
+++ b/pgcommitfest/commitfest/views.py
@@ -106,7 +106,12 @@ def commitfest(request, cfid):
 	# Build a dynamic filter based on the filtering options entered
 	q = Q()
 	if request.GET.has_key('status') and request.GET['status'] != "-1":
-		q = q & Q(patchoncommitfest__status=int(request.GET['status']))
+		try:
+			q = q & Q(patchoncommitfest__status=int(request.GET['status']))
+		except ValueError:
+			# int() failed -- so just ignore this filter
+			pass
+
 	if request.GET.has_key('author') and request.GET['author'] != "-1":
 		if request.GET['author'] == '-2':
 			q = q & Q(authors=None)
@@ -116,7 +121,12 @@ def commitfest(request, cfid):
 				return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
 			q = q & Q(authors=request.user)
 		else:
-			q = q & Q(authors__id=int(request.GET['author']))
+			try:
+				q = q & Q(authors__id=int(request.GET['author']))
+			except ValueError:
+				# int() failed -- so just ignore this filter
+				pass
+
 	if request.GET.has_key('reviewer') and request.GET['reviewer'] != "-1":
 		if request.GET['reviewer'] == '-2':
 			q = q & Q(reviewers=None)
@@ -126,7 +136,11 @@ def commitfest(request, cfid):
 				return HttpResponseRedirect('%s?next=%s' % (settings.LOGIN_URL, request.path))
 			q = q & Q(reviewers=request.user)
 		else:
-			q = q & Q(reviewers__id=int(request.GET['reviewer']))
+			try:
+				q = q & Q(reviewers__id=int(request.GET['reviewer']))
+			except ValueError:
+				# int() failed -- so just ignore this filter
+				pass
 
 	if request.GET.has_key('text') and request.GET['text'] != '':
 		q = q & Q(name__icontains=request.GET['text'])
@@ -136,7 +150,10 @@ def commitfest(request, cfid):
 	# Figure out custom ordering
 	ordering = ['-is_open', 'topic__topic', 'created',]
 	if request.GET.has_key('sortkey') and request.GET['sortkey']!='':
-		sortkey=int(request.GET['sortkey'])
+		try:
+			sortkey=int(request.GET['sortkey'])
+		except ValueError:
+			sortkey=0
 
 		if sortkey==1:
 			ordering = ['-is_open', 'modified', 'created',]
-- 
2.39.5