Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #10034: the formtools security hash function is now friendlier …

…to browsers that submit leading/trailing whitespace in form fields.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10752 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit fce800f3fda6d22e90215a63d60e3567c3a48128 1 parent d20a083
Jacob Kaplan-Moss authored May 12, 2009
21  django/contrib/formtools/tests.py
... ...
@@ -1,5 +1,6 @@
  1
+import unittest
1 2
 from django import forms
2  
-from django.contrib.formtools import preview, wizard
  3
+from django.contrib.formtools import preview, wizard, utils
3 4
 from django import http
4 5
 from django.test import TestCase
5 6
 
@@ -101,6 +102,24 @@ def test_bool_submit(self):
101 102
         response = self.client.post('/test1/', self.test_data)
102 103
         self.assertEqual(response.content, success_string)
103 104
 
  105
+class SecurityHashTests(unittest.TestCase):
  106
+
  107
+    def test_textfield_hash(self):
  108
+        """
  109
+        Regression test for #10034: the hash generation function should ignore
  110
+        leading/trailing whitespace so as to be friendly to broken browsers that
  111
+        submit it (usually in textareas).
  112
+        """
  113
+        class TestForm(forms.Form):
  114
+            name = forms.CharField()
  115
+            bio = forms.CharField()
  116
+        
  117
+        f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'})
  118
+        f2 = TestForm({'name': '  joe', 'bio': 'Nothing notable.  '})
  119
+        hash1 = utils.security_hash(None, f1)
  120
+        hash2 = utils.security_hash(None, f2)
  121
+        self.assertEqual(hash1, hash2)
  122
+
104 123
 #
105 124
 # FormWizard tests
106 125
 #
7  django/contrib/formtools/utils.py
@@ -16,7 +16,12 @@ def security_hash(request, form, *args):
16 16
     hash of that.
17 17
     """
18 18
 
19  
-    data = [(bf.name, bf.field.clean(bf.data) or '') for bf in form]
  19
+    data = []
  20
+    for bf in form:
  21
+        value = bf.field.clean(bf.data) or ''
  22
+        if isinstance(value, basestring):
  23
+            value = value.strip()
  24
+        data.append((bf.name, value))
20 25
     data.extend(args)
21 26
     data.append(settings.SECRET_KEY)
22 27
 

0 notes on commit fce800f

Please sign in to comment.
Something went wrong with that request. Please try again.