summaryrefslogtreecommitdiff
path: root/django/contrib/formtools/utils.py
AgeCommit message (Collapse)Author
2014-11-26Fixed #23677 -- Removed contrib.formtoolsTim Graham
2012-08-14Reverted pickle-json replacement form_hmac calculationClaude Paroz
This reverts commit b109ff8062f4bb225181ec462d69c9dd79339567 and complement test cases. The change was too hasty, as some form values cannot be json-serialized as is.
2012-08-13Replaced pickle by json in form_hmac calculationClaude Paroz
Refs #18340
2012-07-22[py3] Replaced basestring by six.string_types.Aymeric Augustin
2012-05-19Fixed #18340 -- Fixed formtools form_hmac with Unicode inputClaude Paroz
Using cPickle, two apparently identical Unicode strings could generate different pickled results depending on previous operations on those strings.
2012-03-31Removed deprecated and undocumented function ↵Aymeric Augustin
django.contrib.formtools.utils.security_hash(). git-svn-id: http://code.djangoproject.com/svn/django/trunk@17841 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-13Fixed #16225 -- Removed unused imports. Many thanks to Aymeric Augustin for ↵Jannis Leidel
the work on the patch and Alex for reviewing. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-02Advanced deprecations in contrib.formtools.Russell Keith-Magee
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15972 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28Removed no-longer-valid comment about Python 2.3 and 2.4 in formtools/utils.pyAdrian Holovaty
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15931 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28Removed a bunch of Python 2.4 workarounds now that we don't support it. Refs ↵Adrian Holovaty
#15702 -- thanks to jonash for the patch. Splitting this over muliple commits to make it more manageable. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14Fixed #14445 - Use HMAC and constant-time comparison functions where needed.Luke Plant
All adhoc MAC applications have been updated to use HMAC, using SHA1 to generate unique keys for each application based on the SECRET_KEY, which is common practice for this situation. In all cases, backwards compatibility with existing hashes has been maintained, aiming to phase this out as per the normal deprecation process. In this way, under most normal circumstances the old hashes will have expired (e.g. by session expiration etc.) before they become invalid. In the case of the messages framework and the cookie backend, which was already using HMAC, there is the possibility of a backwards incompatibility if the SECRET_KEY is shorter than the default 50 bytes, but the low likelihood and low impact meant compatibility code was not worth it. All known instances where tokens/hashes were compared using simple string equality, which could potentially open timing based attacks, have also been fixed using a constant-time comparison function. There are no known practical attacks against the existing implementations, so these security improvements will not be backported. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-05-04Fixed #12164 -- Removed the Python 2.3 compatibility imports and ↵Russell Keith-Magee
workarounds. Thanks to timo and claudep for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@13094 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-12Fixed #10643: fixed the formtools security hash to handle allowed empty ↵Jacob Kaplan-Moss
forms or forms without changed data. git-svn-id: http://code.djangoproject.com/svn/django/trunk@10753 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-12Fixed #10034: the formtools security hash function is now friendlier to ↵Jacob Kaplan-Moss
browsers that submit leading/trailing whitespace in form fields. git-svn-id: http://code.djangoproject.com/svn/django/trunk@10752 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-14Fixed #8570: Corrected some code that was using 8-space tabs for some ↵Russell Keith-Magee
reason. Thanks to Manuel Saelices for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@9019 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29Fixed #8653: make formtools' security hash more rubust. Silly that I didn't ↵Jacob Kaplan-Moss
think of this before; thanks to bthomas for providing the obvious fix. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8715 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-26Fixed #6209: handle `BooleanField`s in `FormPreview` and `FormWizard`. In ↵Jacob Kaplan-Moss
the process, broke the the security hash calculation out to a helper function. Thanks to mcroydon and rajeshdhawan. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8597 bcc190cf-cafb-0310-a4f2-bffc1f526a37