formtools

noreply Tue, 12 May 2009 14:55:00 -0700

Author: jacob
Date: 2009-05-12 16:54:58 -0500 (Tue, 12 May 2009)
New Revision: 10752


Modified:
   django/trunk/django/contrib/formtools/tests.py
   django/trunk/django/contrib/formtools/utils.py
Log:
Fixed #10034: the formtools security hash function is now friendlier to 
browsers that submit leading/trailing whitespace in form fields.

Modified: django/trunk/django/contrib/formtools/tests.py
===================================================================
--- django/trunk/django/contrib/formtools/tests.py      2009-05-12 21:45:03 UTC 
(rev 10751)
+++ django/trunk/django/contrib/formtools/tests.py      2009-05-12 21:54:58 UTC 
(rev 10752)
@@ -1,5 +1,6 @@
+import unittest
 from django import forms
-from django.contrib.formtools import preview, wizard
+from django.contrib.formtools import preview, wizard, utils
 from django import http
 from django.test import TestCase
 
@@ -101,6 +102,24 @@
         response = self.client.post('/test1/', self.test_data)
         self.assertEqual(response.content, success_string)
 
+class SecurityHashTests(unittest.TestCase):
+
+    def test_textfield_hash(self):
+        """
+        Regression test for #10034: the hash generation function should ignore
+        leading/trailing whitespace so as to be friendly to broken browsers 
that
+        submit it (usually in textareas).
+        """
+        class TestForm(forms.Form):
+            name = forms.CharField()
+            bio = forms.CharField()
+        
+        f1 = TestForm({'name': 'joe', 'bio': 'Nothing notable.'})
+        f2 = TestForm({'name': '  joe', 'bio': 'Nothing notable.  '})
+        hash1 = utils.security_hash(None, f1)
+        hash2 = utils.security_hash(None, f2)
+        self.assertEqual(hash1, hash2)
+
 #
 # FormWizard tests
 #

Modified: django/trunk/django/contrib/formtools/utils.py
===================================================================
--- django/trunk/django/contrib/formtools/utils.py      2009-05-12 21:45:03 UTC 
(rev 10751)
+++ django/trunk/django/contrib/formtools/utils.py      2009-05-12 21:54:58 UTC 
(rev 10752)
@@ -16,7 +16,12 @@
     hash of that.
     """
 
-    data = [(bf.name, bf.field.clean(bf.data) or '') for bf in form]
+    data = []
+    for bf in form:
+        value = bf.field.clean(bf.data) or ''
+        if isinstance(value, basestring):
+            value = value.strip()
+        data.append((bf.name, value))
     data.extend(args)
     data.append(settings.SECRET_KEY)
 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

[Changeset] r10752 - django/trunk/django/contrib/formtools

Reply via email to