Context Navigation

← Previous Ticket
Next Ticket →

#10034 closed (fixed)

FormWizard has a security_hash check failure with Textareas with leading/trailing newlines in Safari

Reported by:	Dana Spiegel	Owned by:	Kevin Kubasik
Component:	contrib.formtools	Version:	1.0
Severity:		Keywords:	security_hash textarea formwizard
Cc:	kevin@…	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	yes
Easy pickings:	no	UI/UX:	no

Description

I have a Form with a TextField, and when I put this form into a FormWizard, the security_hash generated for that form is different before/after the next form is submitted. This only happens on Safari. I've traced the issue to a TextField that has leading and/or trailing newlines.

In Firefox, a Textarea is apparently stripped upon submission, but in Safari, the leading/trailing newlines are submitted. As a result, when submitting the form with the Textarea, the security_hash that is generated uses the value of the field with the newlines included. But when I submit the next form, the security_hash that is generated from the previous fields doesn't have the newlines in that field's value. As a result, the security_hash is different, generating a security_hash failure. This may be due to the way that the previous fields are rendered into the second form.

Attachments (1)

formwizard_10034.diff (493 bytes ) - added by Kevin Kubasik 15 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 by Jacob, 15 years ago

milestone:	→ 1.1
Triage Stage:	Unreviewed → Accepted

comment:2 by Kevin Kubasik, 15 years ago

Has patch:	set
Owner:	changed from nobody to Kevin Kubasik
Patch needs improvement:	set

I have no idea if this patch actually fixes it, but it seems like it might.

by Kevin Kubasik, 15 years ago

Attachment:	formwizard_10034.diff added

comment:3 by Kevin Kubasik, 15 years ago

Cc:	kevin@… added

comment:4 by Jacob, 15 years ago

Resolution:	→ fixed
Status:	new → closed

(In [10752]) Fixed #10034: the formtools security hash function is now friendlier to browsers that submit leading/trailing whitespace in form fields.

follow-up: 6 comment:5 by al@…, 15 years ago

Resolution:	fixed
Status:	closed → reopened

In v1.0: This fix doesn't work; The latest Safari is not only passing in leading/trailing whitespace - it is also passing through \r\n within the fields. These are blowing up the hashing algorithm.

The tests need to add:

f1 = TestForm({'name': 'joe', 'bio': 'Nothing\r\nnotable.'})

Adjusting fix 10752 (django/contrib/formtools/utils.py) as follows works:

25:  if isinstance(value, basestring):
26:    value = value.strip()
27+    value = value.replace('\r', ' ')
28+    value = value.replace('\n', ' ')

in reply to: 5 comment:6 by Karen Tracey, 15 years ago

Resolution:	→ fixed
Status:	reopened → closed

Replying to al@webreply.com:

In v1.0: This fix doesn't work; The latest Safari is not only passing in leading/trailing whitespace - it is also passing through \r\n within the fields. These are blowing up the hashing algorithm.

What you are describing is a new problem: there was no mention of embedded \r\n previously in this ticket. Please open new tickets for new problems.

Also please be clear about the version you are referring to. The fix for this ticket went into trunk and the 1.0.X branch in May, thus is available in 1.1 and 1.0.3. I don't know what you mean when you say "In v1.0"; if this behavior was broken in 1.0 it will stay broken in 1.0 forever -- the fix is only available in an update to the release.

comment:7 by Jacob, 13 years ago

milestone:	1.1

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues