Django

Code

Ticket #7038 (closed: duplicate)

Opened 2 years ago

Last modified 2 years ago

FormWizard fails on forms with BooleanField when field is unselected

Reported by: anonymous Assigned to: mcroydon
Milestone: 1.0 Component: django.contrib.formtools
Version: SVN Keywords: FormWizard, BooleanField, hash failure
Cc: rajesh.dhawan@gmail.com, dev@sitedesign.net Triage Stage: Accepted
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description (Last modified by ramiro)

The form wizard fails to match its security hash when processing a form containing at least one BooleanField? where the BooleanField?'s checkbox is unselected (e.g. False). This results in (on my machine) the form containing the BooleanField? being redisplayed. If *all* the BooleanFields? on a form are selected, it appears to work correctly.

I was able to workaround (not fix) by overriding the security_hash method as follows: 

    def security_hash(self, request, form):

        for bf in form:
            if bf.field.__class__ != BooleanField:
                data = [(bf.name, bf.data or u'')] + [settings.SECRET_KEY]

        # Use HIGHEST_PROTOCOL because it's the most efficient. It requires
        # Python 2.3, but Django requires 2.3 anyway, so that's OK.
        pickled = pickle.dumps(data, protocol=pickle.HIGHEST_PROTOCOL)
        return md5.new(pickled).hexdigest()

The problem appears (to my untrained eye) to be in the line assigning the value of data where bf.data = False and thus gets assigned .

I'm using SVN 7412.

Attachments

django.contrib.formtools.7828.patch (0.8 kB) - added by rishi on 07/02/08 19:02:39.
django.contrib.formtools.7828.patch

Change History

04/18/08 13:17:53 changed by anonymous

  • needs_better_patch changed.
  • component changed from Uncategorized to django.contrib.formtools.
  • needs_tests changed.
  • needs_docs changed.

(follow-up: ↓ 4 ) 05/22/08 12:57:18 changed by tbye@tbye.com

When attempting to use the sample workaround above with rev. 7545 I hit an issue. Here's my updated sample to correct the problems I ran into. 

def security_hash(self, request, form):
        for bf in form:
            if bf.field != BooleanField:
                 data = [(bf.name, bf.data or '')] + [settings.SECRET_KEY]

        # Use HIGHEST_PROTOCOL because it's the most efficient. It requires 
        # Python 2.3, but Django requires 2.3 anyway, so that's OK. 
        pickled = pickle.dumps(data, protocol=pickle.HIGHEST_PROTOCOL) 
        return md5.new(pickled).hexdigest()

05/26/08 06:12:51 changed by hanne.moa@gmail.com

  • keywords changed from FormWizard, BooleanField to FormWizard, BooleanField, hash failure.

I get this also... not an easy bug to detect when one has a wizard with many forms! maybe a better solution would be to explicitly set every unset BooleanField? to False as soon as possible, that is: well before the hashing?

(in reply to: ↑ 2 ) 05/26/08 07:30:51 changed by hanne.moa@gmail.com

Replying to tbye@tbye.com:

When attempting to use the sample workaround above with rev. 7545 I hit an issue. Here's my updated sample to correct the problems I ran into. def security_hash(self, request, form): for bf in form: if bf.field != BooleanField?: data = [(bf.name, bf.data or )] + [settings.SECRET_KEY]

This also means that only the last field per form, whatever that is, is hashed at all, as 'data' is replaced for almost every trip through the 'for'. Ergo, one might as well not have the hashing at all.

The real problem is that sql and web and boolean logic disagrees as to what a checkbox (CheckboxInput? in django's case) is supposed to mean. Sql has three values for a bool: true, false, and unset. Web only has on/True and unset. Django has two types of boolean fields, using the same widget: BooleanField?, which must be set and has two possible values: True and False, and NullboleanField?, which is like sql in that it has three values: True, False and None (unset). The checkbox-widget however, obeys the web-rule of True vs. unset and ergo doesn't really fit with either of the fields =) See also #7051, #7190, #6937, #6914, #5957

06/16/08 15:44:48 changed by ramiro

  • description changed.

07/02/08 19:02:39 changed by rishi

  • attachment django.contrib.formtools.7828.patch added.

django.contrib.formtools.7828.patch

07/02/08 19:08:02 changed by rishi

  • has_patch set to 1.

I can also reproduce this issue. The problem is with the line in wizard.py: 

data = [(bf.name, bf.data or '') for bf in form] + [settings.SECRET_KEY]

Where can bf.data == False when the hash is created, and bf.data == u'False' when the hash is validated. So the hashes don't match and we get a hash error. It seems like an easy fix would be to do the following: 

#data = [(bf.name, unicode(bf.data) if bf.data is not None else '') for bf in form] + [settings.SECRET_KEY]

But that fails due an odd behavior with pickling where the pickled data doesn't produce the exact binary output: 

>>> import cPickle as pickle
>>>
>>> u'False' == unicode(False)
True
>>> pickle1 = pickle.dumps(u'False', pickle.HIGHEST_PROTOCOL)
>>> pickle2 = pickle.dumps(unicode(False), pickle.HIGHEST_PROTOCOL)
>>> pickle1 == pickle2
False
>>> pickle1
'\x80\x02X\x05\x00\x00\x00Falseq\x01.'
>>> pickle2
'\x80\x02X\x05\x00\x00\x00False.'
>>>
>>>
>>> f1 = u'False'
>>> f2 = unicode(False)
>>> f1 == f2
True
>>> pickle1 = pickle.dumps(f1, pickle.HIGHEST_PROTOCOL)
>>> pickle2 = pickle.dumps(f2, pickle.HIGHEST_PROTOCOL)
>>> pickle1 == pickle2
True
>>> pickle1
'\x80\x02X\x05\x00\x00\x00Falseq\x01.'
>>> pickle2
'\x80\x02X\x05\x00\x00\x00Falseq\x01.'
>>>

It seems like a better approach would be to remove the pickle operation and use a different serialization method (e.g., sorted list of key values converted to a string) as the md5 input. I haven't done that in the attached patch and can leave that for someone else to choose to do. For now, the attached patch fixes it by expanding the list comprehension.

07/16/08 11:03:10 changed by ElliottM

  • milestone set to 1.0.

07/25/08 12:05:36 changed by rajeshdhawan

This problem is similar to the FormPreview? problem of #6209. I have a fix uploaded there. Whatever fix is incorporated, it should be consistent between the hash calculations of the FormPreview? and those of the FormWizard?.

07/25/08 12:05:49 changed by rajeshdhawan

  • cc set to rajesh.dhawan@gmail.com.

07/27/08 18:47:27 changed by ElliottM

  • stage changed from Unreviewed to Accepted.

08/06/08 05:23:02 changed by anonymous

  • cc changed from rajesh.dhawan@gmail.com to rajesh.dhawan@gmail.com, dev@sitedesign.net.

08/06/08 08:38:54 changed by adamjforster

The patch django.contrib.formtools.7828.patch does not work for me when there are multiple blank checkboxes on a single form. It does work if there are two checkboxes where one is ticked and the other is blank, but if I leave both blank the form wizard throws me back to that step.

I am using trunk revision [8222]

After having looked at ticket #6209 I have replaced line 50 of wizard.py with the code from this patch patch-#6209.diff, so far this seems to have completely solved my problems.

I hope that this information helps.

08/06/08 08:45:29 changed by adamjforster

Sorry the above: "I have replaced line 50 of wizard.py"

Should read: "I have replaced line 150 of wizard.py"

The link is correct.

08/08/08 10:45:54 changed by mcroydon

  • owner changed from nobody to mcroydon.
  • status changed from new to assigned.

08/08/08 11:22:23 changed by mcroydon

  • status changed from assigned to closed.
  • resolution set to duplicate.

The patch to Ticket #6209 solves this using BooleanField?'s clean() method, which should solve your problem. Marking this as a dupe of that ticket.

Add/Change #7038 (FormWizard fails on forms with BooleanField when field is unselected)




Change Properties
Action