I'm able to break a new tracker created with 0.7.1
(classic schema with no modifications) just by sending
it an email with a subject and a message body, but no
Priority. This is quite a simple DoS, unless I've done
something wrong?

I get the following traceback on subsequent visits to
the web interface:

Templating Error

exceptions.IndexError: no such priority None

Debugging information follows

   1. While evaluating the standard:'request/batch'
expression on line 13
      Current variables:
      templates	<roundup.cgi.templating.Templates
instance at 0x408f4a2c>
      repeat
<roundup.cgi.PageTemplates.TALES.SafeMapping instance
at 0x408f4f6c>
      template	<Roundup PageTemplate 'issue.index.html'>
      default	<roundup.cgi.PageTemplates.TALES.Default
instance at 0x4076de0c>
      db	<roundup.cgi.templating.HTMLDatabase instance
at 0x408f4a0c>
      utils	<roundup.cgi.templating.utils instance at
0x408f4a4c>
      request	<roundup.cgi.templating.HTMLRequest
instance at 0x408f48ac>
      tracker	<module '_roundup_tracker_1' from
'/www/roundup/trackers-2/test/__init__.pyo'>
      context	<HTMLClass(0x408f49ac) issue>
      nothing	None
      config	<module '_roundup_tracker_1.config' from
'/www/roundup/trackers-2/test/config.pyo'>
      options	{'ok_message': [], 'error_message': []}
      loop	<roundup.cgi.PageTemplates.TALES.SafeMapping
instance at 0x408f4f6c>
      attrs	{'tal:define': 'batch request/batch',
'tal:condition': 'context/is_view_ok'}
   2. A problem occurred in your template
"issue.index.html".
   3. In python expression
"db.issue.renderWith('index', sort=('-', 'activity'),
group=('+', 'priority'), filter=['status'],
columns=['id','activity','title','creator','assignedto',
'status'],
filterspec={'status':['-1','1','2','3','4','5','6','7']})"
   4. While evaluating the expression on line 7
      Current variables:
      templates	<roundup.cgi.templating.Templates
instance at 0x408f43cc>
      repeat
<roundup.cgi.PageTemplates.TALES.SafeMapping instance
at 0x408f464c>
      default	<roundup.cgi.PageTemplates.TALES.Default
instance at 0x4076de0c>
      db	<roundup.cgi.templating.HTMLDatabase instance
at 0x408f44ec>
      utils	<roundup.cgi.templating.utils instance at
0x408f456c>
      request	<roundup.cgi.templating.HTMLRequest
instance at 0x408ed08c>
      tracker	<module '_roundup_tracker_1' from
'/www/roundup/trackers-2/test/__init__.pyo'>
      template	<Roundup PageTemplate 'home.html'>
      nothing	None
      config	<module '_roundup_tracker_1.config' from
'/www/roundup/trackers-2/test/config.pyo'>
      options	{'ok_message': [], 'error_message': []}
      loop	<roundup.cgi.PageTemplates.TALES.SafeMapping
instance at 0x408f464c>
      attrs	{'tal:replace': "structure
python:db.issue.renderWith('index',\n sort=('-',
'activity'), group=('+', 'priority'),
filter=['status'],\n
columns=['id','activity','title','creator','assignedto',
'status'],\n
filterspec={'status':['-1','1','2','3','4','5','6','7']})"}
   5. A problem occurred in your template "home.html".

Full traceback:

Traceback (most recent call last):
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/client.py",
line 519, in renderContext
    result = pt.render(self, None, None, **args)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/templating.py",
line 246, in render
    getEngine().getContext(c), output, tal=1,
strictinsert=0)()
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 154, in __call__
    self.interpret(self.program)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 186, in interpret
    handlers[opcode](self, args)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 432, in do_insertStructure_tal
    structure = self.engine.evaluateStructure(expr)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/PageTemplates/TALES.py",
line 226, in evaluate
    v = expression(self)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/PageTemplates/PythonExpr.py",
line 72, in __call__
    return f()
  File "<string>", line 2, in f
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/templating.py",
line 606, in renderWith
    return pt.render(self._client, self.classname, req,
**args)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/templating.py",
line 246, in render
    getEngine().getContext(c), output, tal=1,
strictinsert=0)()
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 154, in __call__
    self.interpret(self.program)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 186, in interpret
    handlers[opcode](self, args)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 525, in do_useMacro
    self.interpret(macro)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 186, in interpret
    handlers[opcode](self, args)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 345, in do_optTag_tal
    self.do_optTag(stuff)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 330, in do_optTag
    return self.no_tag(start, program)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 325, in no_tag
    self.interpret(program)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 186, in interpret
    handlers[opcode](self, args)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 549, in do_defineSlot
    self.interpret(slot)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 186, in interpret
    handlers[opcode](self, args)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/TAL/TALInterpreter.py",
line 402, in do_setLocal_tal
    self.engine.setLocal(name,
self.engine.evaluateValue(expr))
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/PageTemplates/TALES.py",
line 226, in evaluate
    v = expression(self)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/PageTemplates/Expressions.py",
line 189, in __call__
    return self._eval(econtext)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/PageTemplates/Expressions.py",
line 184, in _eval
    return render(ob, econtext.vars)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/PageTemplates/Expressions.py",
line 90, in render
    ob = ob()
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/cgi/templating.py",
line 2018, in batch
    l = klass.filter(matches, filterspec, sort, group)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/backends/back_anydbm.py",
line 1787, in filter
    lcache[v] = self.db.getnode(lcn, v, lcldb)
  File
"/usr/local/python2.3.2-ee-1004.1/lib/python2.3/site-packages/roundup/backends/back_anydbm.py",
line 331, in getnode
    raise IndexError, "no such %s %s"%(classname, nodeid)
IndexError: no such priority None

 

Logged In: YES 
user_id=6405

This is fixed in CVS. The patch to fix is attached. 

Logged In: YES 
user_id=32533

Thanks for the quick response, Richard.  The patch fixed it
right up.