Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #8092, #3828 -- Removed dictionary access for request objects s…

…o that GET and POST data doesn't "overwrite" request attributes when used in templates (since dictionary lookup is performed before attribute lookup). This is backwards-incompatible if you were using the request object for dictionary access to the combined GET and POST data, but you should use `request.REQUEST` for that instead.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@8202 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit daa6b38f352447a5afed3184f4ffffd0d6b1f1de 1 parent 71b2e01
Gary Wilson Jr. gdub authored
11 django/http/__init__.py
View
@@ -39,17 +39,6 @@ def __repr__(self):
(pformat(self.GET), pformat(self.POST), pformat(self.COOKIES),
pformat(self.META))
- def __getitem__(self, key):
- for d in (self.POST, self.GET):
- if key in d:
- return d[key]
- raise KeyError, "%s not found in either POST or GET" % key
-
- def has_key(self, key):
- return key in self.GET or key in self.POST
-
- __contains__ = has_key
-
def get_host(self):
"""Returns the HTTP host using the environment or request headers."""
# We try three options, in order of decreasing preference.
12 docs/request_response.txt
View
@@ -170,18 +170,6 @@ All attributes except ``session`` should be considered read-only.
Methods
-------
-``__getitem__(key)``
- Returns the GET/POST value for the given key, checking POST first, then
- GET. Raises ``KeyError`` if the key doesn't exist.
-
- This lets you use dictionary-accessing syntax on an ``HttpRequest``
- instance. Example: ``request["foo"]`` would return ``True`` if either
- ``request.POST`` or ``request.GET`` had a ``"foo"`` key.
-
-``has_key()``
- Returns ``True`` or ``False``, designating whether ``request.GET`` or
- ``request.POST`` has the given key.
-
``get_host()``
**New in Django development version**
0  tests/regressiontests/context_processors/__init__.py
View
No changes.
1  tests/regressiontests/context_processors/models.py
View
@@ -0,0 +1 @@
+# Models file for tests to run.
13 tests/regressiontests/context_processors/templates/context_processors/request_attrs.html
View
@@ -0,0 +1,13 @@
+{% if request %}
+Have request
+{% else %}
+No request
+{% endif %}
+
+{% if request.is_secure %}
+Secure
+{% else %}
+Not secure
+{% endif %}
+
+{{ request.path }}
38 tests/regressiontests/context_processors/tests.py
View
@@ -0,0 +1,38 @@
+"""
+Tests for Django's bundled context processors.
+"""
+
+from django.conf import settings
+from django.test import TestCase
+
+
+class RequestContextProcessorTests(TestCase):
+ """
+ Tests for the ``django.core.context_processors.request`` processor.
+ """
+
+ urls = 'regressiontests.context_processors.urls'
+
+ def test_request_attributes(self):
+ """
+ Test that the request object is available in the template and that its
+ attributes can't be overridden by GET and POST parameters (#3828).
+ """
+ url = '/request_attrs/'
+ # We should have the request object in the template.
+ response = self.client.get(url)
+ self.assertContains(response, 'Have request')
+ # Test is_secure.
+ response = self.client.get(url)
+ self.assertContains(response, 'Not secure')
+ response = self.client.get(url, {'is_secure': 'blah'})
+ self.assertContains(response, 'Not secure')
+ response = self.client.post(url, {'is_secure': 'blah'})
+ self.assertContains(response, 'Not secure')
+ # Test path.
+ response = self.client.get(url)
+ self.assertContains(response, url)
+ response = self.client.get(url, {'path': '/blah/'})
+ self.assertContains(response, url)
+ response = self.client.post(url, {'path': '/blah/'})
+ self.assertContains(response, url)
8 tests/regressiontests/context_processors/urls.py
View
@@ -0,0 +1,8 @@
+from django.conf.urls.defaults import *
+
+import views
+
+
+urlpatterns = patterns('',
+ (r'^request_attrs/$', views.request_processor),
+)
8 tests/regressiontests/context_processors/views.py
View
@@ -0,0 +1,8 @@
+from django.core import context_processors
+from django.shortcuts import render_to_response
+from django.template.context import RequestContext
+
+
+def request_processor(request):
+ return render_to_response('context_processors/request_attrs.html',
+ RequestContext(request, {}, processors=[context_processors.request]))
Please sign in to comment.
Something went wrong with that request. Please try again.