Permalink
Browse files

[1.0.X] Fixed #10034: the formtools security hash function is now fri…

…endlier to browsers that submit leading/trailing whitespace in form fields. Backport of [10752] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.0.X@10754 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
jacobian committed May 12, 2009
1 parent 5e20f14 commit 08577ab0f1b716e05d728c2c7544cd7dd7fa4877
Showing with 26 additions and 2 deletions.
  1. +20 −1 django/contrib/formtools/tests.py
  2. +6 −1 django/contrib/formtools/utils.py
@@ -1,5 +1,6 @@
import unittest
from django import forms from django import forms
from django.contrib.formtools import preview, wizard from django.contrib.formtools import preview, wizard, utils
from django import http from django import http
from django.test import TestCase from django.test import TestCase
@@ -101,6 +102,24 @@ def test_bool_submit(self):
response = self.client.post('/test1/', self.test_data) response = self.client.post('/test1/', self.test_data)
self.assertEqual(response.content, success_string) self.assertEqual(response.content, success_string)
class SecurityHashTests(unittest.TestCase):
def test_textfield_hash(self):
"""
Regression test for #10034: the hash generation function should ignore
leading/trailing whitespace so as to be friendly to broken browsers that
submit it (usually in textareas).
"""
class TestForm(forms.Form):
name = forms.CharField()
bio = forms.CharField()
f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'})
f2 = TestForm({'name': ' joe', 'bio': 'Nothing notable. '})
hash1 = utils.security_hash(None, f1)
hash2 = utils.security_hash(None, f2)
self.assertEqual(hash1, hash2)
# #
# FormWizard tests # FormWizard tests
# #
@@ -16,7 +16,12 @@ def security_hash(request, form, *args):
hash of that. hash of that.
""" """
data = [(bf.name, bf.field.clean(bf.data) or '') for bf in form] data = []
for bf in form:
value = bf.field.clean(bf.data) or ''
if isinstance(value, basestring):
value = value.strip()
data.append((bf.name, value))
data.extend(args) data.extend(args)
data.append(settings.SECRET_KEY) data.append(settings.SECRET_KEY)

0 comments on commit 08577ab

Please sign in to comment.