innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Removed Django 1.2 compatibility fallback for contrib.comments forms hash. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15953 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-03-30 17:35:12 +00:00
parent c922a04675
commit 5fa11b0035
2 changed files with 1 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
django/contrib/comments/forms.py
View File

@ -1,5 +1,4 @@
import datetime import datetime
import hashlib
import time import time
from django import forms from django import forms
from django.forms.util import ErrorDict from django.forms.util import ErrorDict
@ -47,12 +46,7 @@ class CommentSecurityForm(forms.Form):
expected_hash = self.generate_security_hash(**security_hash_dict) expected_hash = self.generate_security_hash(**security_hash_dict)
actual_hash = self.cleaned_data["security_hash"] actual_hash = self.cleaned_data["security_hash"]
if not constant_time_compare(expected_hash, actual_hash): if not constant_time_compare(expected_hash, actual_hash):
# Fallback to Django 1.2 method for compatibility raise forms.ValidationError("Security hash check failed.")
# PendingDeprecationWarning <- here to remind us to remove this
# fallback in Django 1.5
expected_hash_old = self._generate_security_hash_old(**security_hash_dict)
if not constant_time_compare(expected_hash_old, actual_hash):
raise forms.ValidationError("Security hash check failed.")
return actual_hash return actual_hash
def clean_timestamp(self): def clean_timestamp(self):
@ -95,12 +89,6 @@ class CommentSecurityForm(forms.Form):
value = "-".join(info) value = "-".join(info)
return salted_hmac(key_salt, value).hexdigest() return salted_hmac(key_salt, value).hexdigest()
def _generate_security_hash_old(self, content_type, object_pk, timestamp):
"""Generate a (SHA1) security hash from the provided info."""
# Django 1.2 compatibility
info = (content_type, object_pk, timestamp, settings.SECRET_KEY)
return hashlib.sha1("".join(info)).hexdigest()
class CommentDetailsForm(CommentSecurityForm): class CommentDetailsForm(CommentSecurityForm):
""" """
Handles the specific details of the comment (name, comment, etc.). Handles the specific details of the comment (name, comment, etc.).

18
tests/regressiontests/comment_tests/tests/comment_form_tests.py
View File

@ -1,4 +1,3 @@
import hashlib
import time import time
from django.conf import settings from django.conf import settings
@ -46,23 +45,6 @@ class CommentFormTests(CommentTestCase):
def testObjectPKTampering(self): def testObjectPKTampering(self):
self.tamperWithForm(object_pk="3") self.tamperWithForm(object_pk="3")
def testDjango12Hash(self):
# Ensure we can use the hashes generated by Django 1.2
a = Article.objects.get(pk=1)
d = self.getValidData(a)
content_type = d['content_type']
object_pk = d['object_pk']
timestamp = d['timestamp']
# The Django 1.2 method hard-coded here:
info = (content_type, object_pk, timestamp, settings.SECRET_KEY)
security_hash = hashlib.sha1("".join(info)).hexdigest()
d['security_hash'] = security_hash
f = CommentForm(a, data=d)
self.assertTrue(f.is_valid(), f.errors)
def testSecurityErrors(self): def testSecurityErrors(self):
f = self.tamperWithForm(honeypot="I am a robot") f = self.tamperWithForm(honeypot="I am a robot")
self.assertTrue("honeypot" in f.security_errors()) self.assertTrue("honeypot" in f.security_errors())