Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a non-UUID where one is expected.

MattBlack85 · timgraham · commit aeb8c381789a · 2018-03-15T21:33:15.000-04:00
diff --git a/AUTHORS b/AUTHORS
@@ -549,6 +549,7 @@ answer newbie questions, and generally made Django that much better:
     Matt Riggott
     Matt Robenolt <m@robenolt.com>
     Mattia Larentis <mattia@laretis.eu>
+    Mattia Procopio <promat85@gmail.com>
     Mattias Loverot <mattias@stubin.se>
     mattycakes@gmail.com
     Max Burstein <http://maxburstein.com>
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py
@@ -12,6 +12,7 @@
 )
 from django.contrib.auth.tokens import default_token_generator
 from django.contrib.sites.shortcuts import get_current_site
+from django.core.exceptions import ValidationError
 from django.http import HttpResponseRedirect, QueryDict
 from django.shortcuts import resolve_url
 from django.urls import reverse_lazy
@@ -285,7 +286,7 @@ def get_user(self, uidb64):
             # urlsafe_base64_decode() decodes to bytestring
             uid = urlsafe_base64_decode(uidb64).decode()
             user = UserModel._default_manager.get(pk=uid)
-        except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist):
+        except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist, ValidationError):
             user = None
         return user
 
diff --git a/docs/releases/2.0.4.txt b/docs/releases/2.0.4.txt
@@ -17,3 +17,7 @@ Bugfixes
 
 * Corrected admin's autocomplete widget to add a space after custom classes
   (:ticket:`29221`).
+
+* Fixed ``PasswordResetConfirmView`` crash when using a user model with a
+  ``UUIDField`` primary key and the reset URL contains an encoded primary key
+  value that decodes to an invalid UUID (:ticket:`29206`).
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py
@@ -28,6 +28,7 @@
 from django.test import Client, TestCase, override_settings
 from django.test.utils import patch_logger
 from django.urls import NoReverseMatch, reverse, reverse_lazy
+from django.utils.http import urlsafe_base64_encode
 from django.utils.translation import LANGUAGE_SESSION_KEY
 
 from .client import PasswordResetConfirmClient
@@ -437,6 +438,14 @@ def _test_confirm_start(self):
         )
         return super()._test_confirm_start()
 
+    def test_confirm_invalid_uuid(self):
+        """A uidb64 that decodes to a non-UUID doesn't crash."""
+        _, path = self._test_confirm_start()
+        invalid_uidb64 = urlsafe_base64_encode('INVALID_UUID'.encode()).decode()
+        first, _uuidb64_, second = path.strip('/').split('/')
+        response = self.client.get('/' + '/'.join((first, invalid_uidb64, second)) + '/')
+        self.assertContains(response, 'The password reset link was invalid')
+
 
 class ChangePasswordTest(AuthViewsTestCase):
 

-Original file line number
+Diff line change
     Matt Riggott
     Matt Robenolt <[email protected]>
     Mattia Larentis <[email protected]>
 +    Mattia Procopio <[email protected]>
     Mattias Loverot <[email protected]>
     [email protected]
     Max Burstein <http://maxburstein.com>