summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJacob Kaplan-Moss <jacob@jacobian.org>2009-05-12 21:54:58 +0000
committerJacob Kaplan-Moss <jacob@jacobian.org>2009-05-12 21:54:58 +0000
commitfce800f3fda6d22e90215a63d60e3567c3a48128 (patch)
tree8ecb2bc9e536558266324d0b3299d3ff002cdb80
parentd20a0834ac344ee79880c353d2c40639ee3837da (diff)
Fixed #10034: the formtools security hash function is now friendlier to browsers that submit leading/trailing whitespace in form fields.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10752 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/contrib/formtools/tests.py21
-rw-r--r--django/contrib/formtools/utils.py7
2 files changed, 26 insertions, 2 deletions
diff --git a/django/contrib/formtools/tests.py b/django/contrib/formtools/tests.py
index 5263e6e598..8cfa08303b 100644
--- a/django/contrib/formtools/tests.py
+++ b/django/contrib/formtools/tests.py
@@ -1,5 +1,6 @@
+import unittest
from django import forms
-from django.contrib.formtools import preview, wizard
+from django.contrib.formtools import preview, wizard, utils
from django import http
from django.test import TestCase
@@ -101,6 +102,24 @@ class PreviewTests(TestCase):
response = self.client.post('/test1/', self.test_data)
self.assertEqual(response.content, success_string)
+class SecurityHashTests(unittest.TestCase):
+
+ def test_textfield_hash(self):
+ """
+ Regression test for #10034: the hash generation function should ignore
+ leading/trailing whitespace so as to be friendly to broken browsers that
+ submit it (usually in textareas).
+ """
+ class TestForm(forms.Form):
+ name = forms.CharField()
+ bio = forms.CharField()
+
+ f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'})
+ f2 = TestForm({'name': ' joe', 'bio': 'Nothing notable. '})
+ hash1 = utils.security_hash(None, f1)
+ hash2 = utils.security_hash(None, f2)
+ self.assertEqual(hash1, hash2)
+
#
# FormWizard tests
#
diff --git a/django/contrib/formtools/utils.py b/django/contrib/formtools/utils.py
index a357255522..5be8b21928 100644
--- a/django/contrib/formtools/utils.py
+++ b/django/contrib/formtools/utils.py
@@ -16,7 +16,12 @@ def security_hash(request, form, *args):
hash of that.
"""
- data = [(bf.name, bf.field.clean(bf.data) or '') for bf in form]
+ data = []
+ for bf in form:
+ value = bf.field.clean(bf.data) or ''
+ if isinstance(value, basestring):
+ value = value.strip()
+ data.append((bf.name, value))
data.extend(args)
data.append(settings.SECRET_KEY)