From b109ff8062f4bb225181ec462d69c9dd79339567 Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Mon, 13 Aug 2012 20:56:05 +0200 Subject: [PATCH] Replaced pickle by json in form_hmac calculation Refs #18340 --- django/contrib/formtools/tests/__init__.py | 19 ++++++++++--------- django/contrib/formtools/utils.py | 8 ++++---- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/django/contrib/formtools/tests/__init__.py b/django/contrib/formtools/tests/__init__.py index ee93479cbd..8a3027bc08 100644 --- a/django/contrib/formtools/tests/__init__.py +++ b/django/contrib/formtools/tests/__init__.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- from __future__ import unicode_literals import os @@ -165,8 +166,8 @@ class FormHmacTests(unittest.TestCase): leading/trailing whitespace so as to be friendly to broken browsers that submit it (usually in textareas). """ - f1 = HashTestForm({'name': 'joe', 'bio': 'Nothing notable.'}) - f2 = HashTestForm({'name': ' joe', 'bio': 'Nothing notable. '}) + f1 = HashTestForm({'name': 'joe', 'bio': 'Speaking español.'}) + f2 = HashTestForm({'name': ' joe', 'bio': 'Speaking español. '}) hash1 = utils.form_hmac(f1) hash2 = utils.form_hmac(f2) self.assertEqual(hash1, hash2) @@ -270,7 +271,7 @@ class WizardTests(TestCase): """ data = {"0-field": "test", "1-field": "test2", - "hash_0": "cd13b1db3e8f55174bc5745a1b1a53408d4fd1ca", + "hash_0": "09a53d8de15fc155bad33423e1d2ee2d82484d8a", "wizard_step": "1"} response = self.client.post('/wizard1/', data) self.assertEqual(2, response.context['step0']) @@ -295,15 +296,15 @@ class WizardTests(TestCase): wizard = WizardWithProcessStep([WizardPageOneForm]) data = {"0-field": "test", "1-field": "test2", - "hash_0": "cd13b1db3e8f55174bc5745a1b1a53408d4fd1ca", + "hash_0": "09a53d8de15fc155bad33423e1d2ee2d82484d8a", "wizard_step": "1"} wizard(DummyRequest(POST=data)) self.assertTrue(reached[0]) data = {"0-field": "test", "1-field": "test2", - "hash_0": "cd13b1db3e8f55174bc5745a1b1a53408d4fd1ca", - "hash_1": "1e6f6315da42e62f33a30640ec7e007ad3fbf1a1", + "hash_0": "09a53d8de15fc155bad33423e1d2ee2d82484d8a", + "hash_1": "4c352938f08b0e6467bef3cda578a1d4a82edc66", "wizard_step": "2"} self.assertRaises(http.Http404, wizard, DummyRequest(POST=data)) @@ -325,7 +326,7 @@ class WizardTests(TestCase): WizardPageThreeForm]) data = {"0-field": "test", "1-field": "test2", - "hash_0": "cd13b1db3e8f55174bc5745a1b1a53408d4fd1ca", + "hash_0": "09a53d8de15fc155bad33423e1d2ee2d82484d8a", "wizard_step": "1"} wizard(DummyRequest(POST=data)) self.assertTrue(reached[0]) @@ -349,7 +350,7 @@ class WizardTests(TestCase): data = {"0-field": "test", "1-field": "test2", - "hash_0": "cd13b1db3e8f55174bc5745a1b1a53408d4fd1ca", + "hash_0": "09a53d8de15fc155bad33423e1d2ee2d82484d8a", "wizard_step": "1"} wizard(DummyRequest(POST=data)) self.assertTrue(reached[0]) @@ -375,7 +376,7 @@ class WizardTests(TestCase): WizardPageThreeForm]) data = {"0-field": "test", "1-field": "test2", - "hash_0": "cd13b1db3e8f55174bc5745a1b1a53408d4fd1ca", + "hash_0": "09a53d8de15fc155bad33423e1d2ee2d82484d8a", "wizard_step": "1"} wizard(DummyRequest(POST=data)) self.assertTrue(reached[0]) diff --git a/django/contrib/formtools/utils.py b/django/contrib/formtools/utils.py index 8763cded07..8b37651ab7 100644 --- a/django/contrib/formtools/utils.py +++ b/django/contrib/formtools/utils.py @@ -1,5 +1,6 @@ -# Do not try cPickle here (see #18340) -import pickle +from __future__ import unicode_literals + +import json from django.utils.crypto import salted_hmac from django.utils import six @@ -21,6 +22,5 @@ def form_hmac(form): value = value.strip() data.append((bf.name, value)) - pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) key_salt = 'django.contrib.formtools' - return salted_hmac(key_salt, pickled).hexdigest() + return salted_hmac(key_salt, json.dumps(data)).hexdigest()