Attempting to set redirection_url to a tuple instead of a string in login machinery
Bug #31589 reported by
Stuart Bishop
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Invalid
|
Critical
|
Unassigned |
Bug Description
As seen with OOPS-46C148 , there is a code path somewhere that passes a
tuple through to the database layer instead of a string.
affects /products/launchpad
--
Stuart Bishop <email address hidden> http://
Canonical Ltd. http://
Changed in launchpad: | |
status: | Unconfirmed → Confirmed |
Changed in launchpad: | |
assignee: | nobody → salgado |
assignee: | salgado → nobody |
Changed in launchpad: | |
assignee: | nobody → daf |
Changed in launchpad: | |
status: | Confirmed → In Progress |
Changed in launchpad-foundations: | |
status: | In Progress → Triaged |
assignee: | Steve Alexander (stevea) → nobody |
Changed in launchpad: | |
importance: | Medium → Critical |
To post a comment you must log in.
If I go to https:/ /launchpad. net/+login, the template code puts the following in the form element:
<input type="hidden" name="redirecti on_url" />
So the redirection_url form item will be posted back with a value of "".
If I go to https:/ /launchpad. net/+login? redirction_ url= (essentially what I'd get for posting an empty redirection_url), The form contains the following:
<input type="hidden" name="redirecti on_url" /> on_url" value="" />
...
<!-- Preserve extra query parameters as hidden fields. -->
<input type="hidden" name="redirecti
This would result in two "redirection_url" items being posted back, which is similar to the results observed in the OOPS.