Fixed #22638 -- Changed CookieWizardView to ignore invalid cookies
This commit is contained in:
Erik Romijn
parent
3b765029f0
commit
ba5ddf7aed
|
|
@ -1,6 +0,0 @@
|
||||||
from django.core.exceptions import SuspiciousOperation
|
|
||||||
|
|
||||||
|
|
||||||
class WizardViewCookieModified(SuspiciousOperation):
|
|
||||||
"""Signature of cookie modified"""
|
|
||||||
pass
|
|
||||||
|
|
@ -1,6 +1,5 @@
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
from django.core import signing
|
from django.core import signing
|
||||||
from django.core.exceptions import SuspiciousOperation
|
|
||||||
from django.http import HttpResponse
|
from django.http import HttpResponse
|
||||||
|
|
||||||
from django.contrib.auth.tests.utils import skipIfCustomUser
|
from django.contrib.auth.tests.utils import skipIfCustomUser
|
||||||
|
|
@ -25,7 +24,7 @@ class TestCookieStorage(TestStorage, TestCase):
|
||||||
self.assertEqual(storage.load_data(), {'key1': 'value1'})
|
self.assertEqual(storage.load_data(), {'key1': 'value1'})
|
||||||
|
|
||||||
storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
|
storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
|
||||||
self.assertRaises(SuspiciousOperation, storage.load_data)
|
self.assertIsNone(storage.load_data())
|
||||||
|
|
||||||
def test_reset_cookie(self):
|
def test_reset_cookie(self):
|
||||||
request = get_request()
|
request = get_request()
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,5 @@
|
||||||
import json
|
import json
|
||||||
|
|
||||||
from django.core.signing import BadSignature
|
|
||||||
|
|
||||||
from django.contrib.formtools.exceptions import WizardViewCookieModified
|
|
||||||
from django.contrib.formtools.wizard import storage
|
from django.contrib.formtools.wizard import storage
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -16,12 +13,7 @@ class CookieStorage(storage.BaseStorage):
|
||||||
self.init_data()
|
self.init_data()
|
||||||
|
|
||||||
def load_data(self):
|
def load_data(self):
|
||||||
try:
|
data = self.request.get_signed_cookie(self.prefix, default=None)
|
||||||
data = self.request.get_signed_cookie(self.prefix)
|
|
||||||
except KeyError:
|
|
||||||
data = None
|
|
||||||
except BadSignature:
|
|
||||||
raise WizardViewCookieModified('WizardView cookie manipulated')
|
|
||||||
if data is None:
|
if data is None:
|
||||||
return None
|
return None
|
||||||
return json.loads(data, cls=json.JSONDecoder)
|
return json.loads(data, cls=json.JSONDecoder)
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,13 @@ Minor features
|
||||||
:mod:`django.contrib.formtools`
|
:mod:`django.contrib.formtools`
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
* ...
|
* A :doc:`form wizard </ref/contrib/formtools/form-wizard>` using the
|
||||||
|
:class:`~django.contrib.formtools.wizard.views.CookieWizardView` will now ignore
|
||||||
|
an invalid cookie, and the wizard will restart from the first step. An invalid
|
||||||
|
cookie can occur in cases of intentional manipulation, but also after a secret
|
||||||
|
key change. Previously, this would raise ``WizardViewCookieModified``, a
|
||||||
|
``SuspiciousOperation``, causing an exception for any user with an invalid cookie
|
||||||
|
upon every request to the wizard, until the cookie is removed.
|
||||||
|
|
||||||
:mod:`django.contrib.gis`
|
:mod:`django.contrib.gis`
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue