From fce800f3fda6d22e90215a63d60e3567c3a48128 Mon Sep 17 00:00:00 2001 From: Jacob Kaplan-Moss Date: Tue, 12 May 2009 21:54:58 +0000 Subject: [PATCH] Fixed #10034: the formtools security hash function is now friendlier to browsers that submit leading/trailing whitespace in form fields. git-svn-id: http://code.djangoproject.com/svn/django/trunk@10752 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/formtools/tests.py | 21 ++++++++++++++++++++- django/contrib/formtools/utils.py | 7 ++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/django/contrib/formtools/tests.py b/django/contrib/formtools/tests.py index 5263e6e598..8cfa08303b 100644 --- a/django/contrib/formtools/tests.py +++ b/django/contrib/formtools/tests.py @@ -1,5 +1,6 @@ +import unittest from django import forms -from django.contrib.formtools import preview, wizard +from django.contrib.formtools import preview, wizard, utils from django import http from django.test import TestCase @@ -101,6 +102,24 @@ class PreviewTests(TestCase): response = self.client.post('/test1/', self.test_data) self.assertEqual(response.content, success_string) +class SecurityHashTests(unittest.TestCase): + + def test_textfield_hash(self): + """ + Regression test for #10034: the hash generation function should ignore + leading/trailing whitespace so as to be friendly to broken browsers that + submit it (usually in textareas). + """ + class TestForm(forms.Form): + name = forms.CharField() + bio = forms.CharField() + + f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'}) + f2 = TestForm({'name': ' joe', 'bio': 'Nothing notable. '}) + hash1 = utils.security_hash(None, f1) + hash2 = utils.security_hash(None, f2) + self.assertEqual(hash1, hash2) + # # FormWizard tests # diff --git a/django/contrib/formtools/utils.py b/django/contrib/formtools/utils.py index a357255522..5be8b21928 100644 --- a/django/contrib/formtools/utils.py +++ b/django/contrib/formtools/utils.py @@ -16,7 +16,12 @@ def security_hash(request, form, *args): hash of that. """ - data = [(bf.name, bf.field.clean(bf.data) or '') for bf in form] + data = [] + for bf in form: + value = bf.field.clean(bf.data) or '' + if isinstance(value, basestring): + value = value.strip() + data.append((bf.name, value)) data.extend(args) data.append(settings.SECRET_KEY)