Opened 3 years ago

Closed 3 years ago

#18415 closed Uncategorized (duplicate)

FormWizard's hash check occasionally fails due to pickle.dumps returning varying values for same inputs

Reported by: bensonk@… Owned by: nobody
Component: Uncategorized Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Background: in django.contrib.formtools.utils.security_hash, the data being hashed is normalized and pickled, and an MD5 hash is taken of that data. When the next page of the wizard is submitted, the hash of the re-submitted data is checked to ensure the user did not tamper with the data.

The problem is that the security_hash function will occasionally return a different value for identical inputs. This is due to pickle.dumps (specifically the cpickle version) returning dissimilar serialized versions for the same input. This can be observed with a simple test:

from cPickle import dumps
print "equal: {}".format(str(12345) == "12345")
print "equal: {}".format(dumps(str(12345)) == dumps("12345"))

This test outputs:

equal: True
equal: False

This is not a bug in cpickle, as the pickle documentation explicitly [mentions] that the pickle function will not necessarily return the same output for a given input.

Impact: Users who have not tampered with forms will get shunted back to a previous form page, potentially with no explanation. As a developer, this can be quite tricky to debug, and the solution in my case was to write our own hashing function that doesn't rely on pickle.

Change History (1)

comment:1 Changed 3 years ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

This is a duplicate of #18340

Note: See TracTickets for help on using tickets.
Back to Top