#18415 closed Uncategorized (duplicate)

FormWizard's hash check occasionally fails due to pickle.dumps returning varying values for same inputs

Reported by: bensonk@… Owned by: nobody
Component: Uncategorized Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Background: in django.contrib.formtools.utils.security_hash, the data being hashed is normalized and pickled, and an MD5 hash is taken of that data. When the next page of the wizard is submitted, the hash of the re-submitted data is checked to ensure the user did not tamper with the data.

The problem is that the security_hash function will occasionally return a different value for identical inputs. This is due to pickle.dumps (specifically the cpickle version) returning dissimilar serialized versions for the same input. This can be observed with a simple test:

from cPickle import dumps
print "equal: {}".format(str(12345) == "12345")
print "equal: {}".format(dumps(str(12345)) == dumps("12345"))

This test outputs:

equal: True
equal: False

This is not a bug in cpickle, as the pickle documentation explicitly [mentions] that the pickle function will not necessarily return the same output for a given input.

Impact: Users who have not tampered with forms will get shunted back to a previous form page, potentially with no explanation. As a developer, this can be quite tricky to debug, and the solution in my case was to write our own hashing function that doesn't rely on pickle.

Attachments (0)

Change History (1)

comment:1 Changed 23 months ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

This is a duplicate of #18340

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.