Code

Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#10034 closed (fixed)

FormWizard has a security_hash check failure with Textareas with leading/trailing newlines in Safari

Reported by: danaspiegel Owned by: kkubasik
Component: contrib.formtools Version: 1.0
Severity: Keywords: security_hash textarea formwizard
Cc: kevin@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: UI/UX:

Description

I have a Form with a TextField, and when I put this form into a FormWizard, the security_hash generated for that form is different before/after the next form is submitted. This only happens on Safari. I've traced the issue to a TextField that has leading and/or trailing newlines.

In Firefox, a Textarea is apparently stripped upon submission, but in Safari, the leading/trailing newlines are submitted. As a result, when submitting the form with the Textarea, the security_hash that is generated uses the value of the field with the newlines included. But when I submit the next form, the security_hash that is generated from the previous fields doesn't have the newlines in that field's value. As a result, the security_hash is different, generating a security_hash failure. This may be due to the way that the previous fields are rendered into the second form.

Attachments (1)

formwizard_10034.diff (493 bytes) - added by kkubasik 5 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 5 years ago by jacob

  • milestone set to 1.1
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 5 years ago by kkubasik

  • Has patch set
  • Owner changed from nobody to kkubasik
  • Patch needs improvement set

I have no idea if this patch actually fixes it, but it seems like it might.

Changed 5 years ago by kkubasik

comment:3 Changed 5 years ago by kkubasik

  • Cc kevin@… added

comment:4 Changed 5 years ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

(In [10752]) Fixed #10034: the formtools security hash function is now friendlier to browsers that submit leading/trailing whitespace in form fields.

comment:5 follow-up: Changed 5 years ago by al@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

In v1.0: This fix doesn't work; The latest Safari is not only passing in leading/trailing whitespace - it is also passing through \r\n within the fields. These are blowing up the hashing algorithm.

The tests need to add:

f1 = TestForm({'name': 'joe', 'bio': 'Nothing\r\nnotable.'})

Adjusting fix 10752 (django/contrib/formtools/utils.py) as follows works:

25:  if isinstance(value, basestring):
26:    value = value.strip()
27+    value = value.replace('\r', ' ')
28+    value = value.replace('\n', ' ')

comment:6 in reply to: ↑ 5 Changed 5 years ago by kmtracey

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to al@webreply.com:

In v1.0: This fix doesn't work; The latest Safari is not only passing in leading/trailing whitespace - it is also passing through \r\n within the fields. These are blowing up the hashing algorithm.

What you are describing is a new problem: there was no mention of embedded \r\n previously in this ticket. Please open new tickets for new problems.

Also please be clear about the version you are referring to. The fix for this ticket went into trunk and the 1.0.X branch in May, thus is available in 1.1 and 1.0.3. I don't know what you mean when you say "In v1.0"; if this behavior was broken in 1.0 it will stay broken in 1.0 forever -- the fix is only available in an update to the release.

comment:7 Changed 3 years ago by jacob

  • milestone 1.1 deleted

Milestone 1.1 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.