Fixed #10034: the formtools security hash function is now friendlier to browsers that submit leading/trailing whitespace in form fields.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@10752 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss 2009-05-12 21:54:58 +00:00
parent d20a0834ac
commit fce800f3fd
2 changed files with 26 additions and 2 deletions

View File

@ -1,5 +1,6 @@
import unittest
from django import forms from django import forms
from django.contrib.formtools import preview, wizard from django.contrib.formtools import preview, wizard, utils
from django import http from django import http
from django.test import TestCase from django.test import TestCase
@ -101,6 +102,24 @@ class PreviewTests(TestCase):
response = self.client.post('/test1/', self.test_data) response = self.client.post('/test1/', self.test_data)
self.assertEqual(response.content, success_string) self.assertEqual(response.content, success_string)
class SecurityHashTests(unittest.TestCase):
def test_textfield_hash(self):
"""
Regression test for #10034: the hash generation function should ignore
leading/trailing whitespace so as to be friendly to broken browsers that
submit it (usually in textareas).
"""
class TestForm(forms.Form):
name = forms.CharField()
bio = forms.CharField()
f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'})
f2 = TestForm({'name': ' joe', 'bio': 'Nothing notable. '})
hash1 = utils.security_hash(None, f1)
hash2 = utils.security_hash(None, f2)
self.assertEqual(hash1, hash2)
# #
# FormWizard tests # FormWizard tests
# #

View File

@ -16,7 +16,12 @@ def security_hash(request, form, *args):
hash of that. hash of that.
""" """
data = [(bf.name, bf.field.clean(bf.data) or '') for bf in form] data = []
for bf in form:
value = bf.field.clean(bf.data) or ''
if isinstance(value, basestring):
value = value.strip()
data.append((bf.name, value))
data.extend(args) data.extend(args)
data.append(settings.SECRET_KEY) data.append(settings.SECRET_KEY)