mirror of https://github.com/django/django.git
Removed Django 1.2 compatibility fallback for contrib.comments forms hash.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15953 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
c922a04675
commit
5fa11b0035
|
@ -1,5 +1,4 @@
|
||||||
import datetime
|
import datetime
|
||||||
import hashlib
|
|
||||||
import time
|
import time
|
||||||
from django import forms
|
from django import forms
|
||||||
from django.forms.util import ErrorDict
|
from django.forms.util import ErrorDict
|
||||||
|
@ -47,12 +46,7 @@ class CommentSecurityForm(forms.Form):
|
||||||
expected_hash = self.generate_security_hash(**security_hash_dict)
|
expected_hash = self.generate_security_hash(**security_hash_dict)
|
||||||
actual_hash = self.cleaned_data["security_hash"]
|
actual_hash = self.cleaned_data["security_hash"]
|
||||||
if not constant_time_compare(expected_hash, actual_hash):
|
if not constant_time_compare(expected_hash, actual_hash):
|
||||||
# Fallback to Django 1.2 method for compatibility
|
raise forms.ValidationError("Security hash check failed.")
|
||||||
# PendingDeprecationWarning <- here to remind us to remove this
|
|
||||||
# fallback in Django 1.5
|
|
||||||
expected_hash_old = self._generate_security_hash_old(**security_hash_dict)
|
|
||||||
if not constant_time_compare(expected_hash_old, actual_hash):
|
|
||||||
raise forms.ValidationError("Security hash check failed.")
|
|
||||||
return actual_hash
|
return actual_hash
|
||||||
|
|
||||||
def clean_timestamp(self):
|
def clean_timestamp(self):
|
||||||
|
@ -95,12 +89,6 @@ class CommentSecurityForm(forms.Form):
|
||||||
value = "-".join(info)
|
value = "-".join(info)
|
||||||
return salted_hmac(key_salt, value).hexdigest()
|
return salted_hmac(key_salt, value).hexdigest()
|
||||||
|
|
||||||
def _generate_security_hash_old(self, content_type, object_pk, timestamp):
|
|
||||||
"""Generate a (SHA1) security hash from the provided info."""
|
|
||||||
# Django 1.2 compatibility
|
|
||||||
info = (content_type, object_pk, timestamp, settings.SECRET_KEY)
|
|
||||||
return hashlib.sha1("".join(info)).hexdigest()
|
|
||||||
|
|
||||||
class CommentDetailsForm(CommentSecurityForm):
|
class CommentDetailsForm(CommentSecurityForm):
|
||||||
"""
|
"""
|
||||||
Handles the specific details of the comment (name, comment, etc.).
|
Handles the specific details of the comment (name, comment, etc.).
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
import hashlib
|
|
||||||
import time
|
import time
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
|
@ -46,23 +45,6 @@ class CommentFormTests(CommentTestCase):
|
||||||
def testObjectPKTampering(self):
|
def testObjectPKTampering(self):
|
||||||
self.tamperWithForm(object_pk="3")
|
self.tamperWithForm(object_pk="3")
|
||||||
|
|
||||||
def testDjango12Hash(self):
|
|
||||||
# Ensure we can use the hashes generated by Django 1.2
|
|
||||||
a = Article.objects.get(pk=1)
|
|
||||||
d = self.getValidData(a)
|
|
||||||
|
|
||||||
content_type = d['content_type']
|
|
||||||
object_pk = d['object_pk']
|
|
||||||
timestamp = d['timestamp']
|
|
||||||
|
|
||||||
# The Django 1.2 method hard-coded here:
|
|
||||||
info = (content_type, object_pk, timestamp, settings.SECRET_KEY)
|
|
||||||
security_hash = hashlib.sha1("".join(info)).hexdigest()
|
|
||||||
|
|
||||||
d['security_hash'] = security_hash
|
|
||||||
f = CommentForm(a, data=d)
|
|
||||||
self.assertTrue(f.is_valid(), f.errors)
|
|
||||||
|
|
||||||
def testSecurityErrors(self):
|
def testSecurityErrors(self):
|
||||||
f = self.tamperWithForm(honeypot="I am a robot")
|
f = self.tamperWithForm(honeypot="I am a robot")
|
||||||
self.assertTrue("honeypot" in f.security_errors())
|
self.assertTrue("honeypot" in f.security_errors())
|
||||||
|
|
Loading…
Reference in New Issue