Opened 12 years ago
Closed 12 years ago
#18415 closed Uncategorized (duplicate)
FormWizard's hash check occasionally fails due to pickle.dumps returning varying values for same inputs
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Uncategorized | Version: | 1.4 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Background: in django.contrib.formtools.utils.security_hash, the data being hashed is normalized and pickled, and an MD5 hash is taken of that data. When the next page of the wizard is submitted, the hash of the re-submitted data is checked to ensure the user did not tamper with the data.
The problem is that the security_hash function will occasionally return a different value for identical inputs. This is due to pickle.dumps (specifically the cpickle version) returning dissimilar serialized versions for the same input. This can be observed with a simple test:
from cPickle import dumps
print "equal: {}".format(str(12345) == "12345")
print "equal: {}".format(dumps(str(12345)) == dumps("12345"))
This test outputs:
equal: True equal: False
This is not a bug in cpickle, as the pickle documentation explicitly [mentions]http://docs.python.org/library/pickle.html#id10 that the pickle function will not necessarily return the same output for a given input.
Impact: Users who have not tampered with forms will get shunted back to a previous form page, potentially with no explanation. As a developer, this can be quite tricky to debug, and the solution in my case was to write our own hashing function that doesn't rely on pickle.
This is a duplicate of #18340