wcs: do not crash on POST with invalid cell identifiers (#24147)

2018-05-29 16:34:45 +02:00 · 2018-05-29 16:34:45 +02:00 · d245938ecc
parent 8630b9ee32
commit d245938ecc
2 changed files with 16 additions and 2 deletions
--- a/combo/apps/wcs/views.py
+++ b/combo/apps/wcs/views.py
@ -17,7 +17,7 @@
 import urlparse

 from django.contrib import messages
-from django.http import HttpResponseRedirect
+from django.http import HttpResponseRedirect, HttpResponseBadRequest
 from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View
@ -38,7 +38,10 @@ class TrackingCodeView(View):
        return super(TrackingCodeView, self).dispatch(*args, **kwargs)

    def post(self, request, *args, **kwargs):
-        cell = TrackingCodeInputCell.objects.get(id=request.POST['cell'])
+        try:
+            cell = TrackingCodeInputCell.objects.get(id=request.POST['cell'])
+        except (ValueError, TrackingCodeInputCell.DoesNotExist):
+            return HttpResponseBadRequest('Invalid cell id')
        code = request.POST['code']
        if cell.wcs_site:
            wcs_sites = [get_wcs_services().get(cell.wcs_site)]
--- a/tests/test_wcs.py
+++ b/tests/test_wcs.py
@ -586,3 +586,14 @@ def test_tracking_code_cell(app):
    resp.form['code'] = 'CNPHNTFB'
    resp = resp.form.submit()
    assert resp.location == 'http://example.net/?foo=bar&unknown-tracking-code'
+
+    # error handling
+    resp = app.get('/')
+    resp.form['cell'] = '9999'
+    resp.form['code'] = 'CNPHNTFB'
+    resp = resp.form.submit(status=400)
+
+    resp = app.get('/')
+    resp.form['cell'] = 'xxxx'
+    resp.form['code'] = 'CNPHNTFB'
+    resp = resp.form.submit(status=400)