search

getsentry / raven-python

Raven is the legacy Python client for Sentry (getsentry.com) — replaced by sentry-python
https://sentry.io
BSD 3-Clause "New" or "Revised" License
1.68k stars 657 forks source link

"ValueError: unsupported format character ''' (0x27)" in Django client #1287

Open johanndt opened 5 years ago

johanndt commented 5 years ago

We've had raven throw the above exception quite regularly in Django. Here is the full trace:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/celery/app/trace.py", line 253, in trace_task
    I, R, state, retval = on_error(task_request, exc, uuid)
  File "/usr/local/lib/python3.5/dist-packages/celery/app/trace.py", line 201, in on_error
    R = I.handle_error_state(task, eager=eager)
  File "/usr/local/lib/python3.5/dist-packages/celery/app/trace.py", line 85, in handle_error_state
    }[self.state](task, store_errors=store_errors)
  File "/usr/local/lib/python3.5/dist-packages/celery/app/trace.py", line 125, in handle_failure
    einfo=einfo)
  File "/usr/local/lib/python3.5/dist-packages/celery/utils/dispatch/signal.py", line 166, in send
    response = receiver(signal=self, sender=sender, **named)
  File "/usr/local/lib/python3.5/dist-packages/raven/contrib/celery/__init__.py", line 87, in process_failure_signal
    fingerprint=fingerprint,
  File "/usr/local/lib/python3.5/dist-packages/raven/base.py", line 824, in captureException
    'raven.events.Exception', exc_info=exc_info, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/raven/contrib/django/client.py", line 303, in capture
    result = super(DjangoClient, self).capture(event_type, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/raven/base.py", line 644, in capture
    **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/raven/contrib/django/client.py", line 244, in build_msg
   data = super(DjangoClient, self).build_msg(*args, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/raven/base.py", line 503, in build_msg
    crumbs = self.context.breadcrumbs.get_buffer()
  File "/usr/local/lib/python3.5/dist-packages/raven/breadcrumbs.py", line 76, in get_buffer
    processor(payload)
  File "/usr/local/lib/python3.5/dist-packages/raven/contrib/django/client.py", line 91, in processor
    real_sql = real_sql % tuple(real_params)
ValueError: unsupported format character ''' (0x27) at index 9651

It would appear in real_sql there are some % characters which is confusing the naive parameter injection.

Ignoring ValueErrors or properly escaping the % characters should do the trick.