django-concurrency Why the exception VersionError is raised for invalid value in hidden field "version" in forms?

Why the exception VersionError is raised for invalid value in hidden field "version" in forms?

Open tomas-zemres opened this issue 3 years ago • 1 comments

When we run security scans on the form that uses "django-concurrency form" then the logs are polluted with messages like: ERROR (django.security.VersionError) -5 OR 425=(SELECT 709 FROM PG_SLEEP(15)) ERROR (django.security.VersionError) ... or other non numer values ...

Why is not called "super().to_python(...)" in VersionField.to_python so that Integer validation is applied there? the exception VersionError is raised instead for all non-numeric values there: https://github.com/saxix/django-concurrency/blob/f94fcf78c03f41d3b3e854753b1385e830a997bf/src/concurrency/forms.py#L123

Why is not raised ValidationError there (as for other invalid fields)?

Apr 12 '22 11:04 tomas-zemres

@tomas-zemres what do you think about the related PR?

Apr 14 '22 05:04 domdinicola

django-concurrency django-concurrency copied to clipboard

Why the exception VersionError is raised for invalid value in hidden field "version" in forms?

django-concurrency
django-concurrency copied to clipboard