Skip to content

D
django
Kaydet (Commit) ba5ddf7a authored tarafından Erik Romijn's avatar Erik Romijn
Dosyalara gözat
Seçenekler

Fixed #22638 -- Changed CookieWizardView to ignore invalid cookies

üst 3b765029
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 18 deletions
django/contrib/formtools/exceptions.py deleted 100644 → 0
Dosyayı görüntüle @ 3b765029
from django.core.exceptions import SuspiciousOperation
class WizardViewCookieModified(SuspiciousOperation):
"""Signature of cookie modified"""
pass
django/contrib/formtools/tests/wizard/test_cookiestorage.py
Dosyayı görüntüle @ ba5ddf7a
from django.test import TestCase from django.test import TestCase
from django.core import signing from django.core import signing
from django.core.exceptions import SuspiciousOperation
from django.http import HttpResponse from django.http import HttpResponse
from django.contrib.auth.tests.utils import skipIfCustomUser from django.contrib.auth.tests.utils import skipIfCustomUser
...@@ -25,7 +24,7 @@ class TestCookieStorage(TestStorage, TestCase): ...@@ -25,7 +24,7 @@ class TestCookieStorage(TestStorage, TestCase):
self.assertEqual(storage.load_data(), {'key1': 'value1'}) self.assertEqual(storage.load_data(), {'key1': 'value1'})
storage.request.COOKIES[storage.prefix] = 'i_am_manipulated' storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
self.assertRaises(SuspiciousOperation, storage.load_data) self.assertIsNone(storage.load_data())
def test_reset_cookie(self): def test_reset_cookie(self):
request = get_request() request = get_request()
......
django/contrib/formtools/wizard/storage/cookie.py
Dosyayı görüntüle @ ba5ddf7a
import json import json
from django.core.signing import BadSignature
from django.contrib.formtools.exceptions import WizardViewCookieModified
from django.contrib.formtools.wizard import storage from django.contrib.formtools.wizard import storage
...@@ -16,12 +13,7 @@ class CookieStorage(storage.BaseStorage): ...@@ -16,12 +13,7 @@ class CookieStorage(storage.BaseStorage):
self.init_data() self.init_data()
def load_data(self): def load_data(self):
try: data = self.request.get_signed_cookie(self.prefix, default=None)
data = self.request.get_signed_cookie(self.prefix)
except KeyError:
data = None
except BadSignature:
raise WizardViewCookieModified('WizardView cookie manipulated')
if data is None: if data is None:
return None return None
return json.loads(data, cls=json.JSONDecoder) return json.loads(data, cls=json.JSONDecoder)
......
docs/releases/1.8.txt
Dosyayı görüntüle @ ba5ddf7a
...@@ -45,7 +45,13 @@ Minor features ...@@ -45,7 +45,13 @@ Minor features
:mod:`django.contrib.formtools` :mod:`django.contrib.formtools`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* ... * A :doc:`form wizard </ref/contrib/formtools/form-wizard>` using the
:class:`~django.contrib.formtools.wizard.views.CookieWizardView` will now ignore
an invalid cookie, and the wizard will restart from the first step. An invalid
cookie can occur in cases of intentional manipulation, but also after a secret
key change. Previously, this would raise ``WizardViewCookieModified``, a
``SuspiciousOperation``, causing an exception for any user with an invalid cookie
upon every request to the wizard, until the cookie is removed.
:mod:`django.contrib.gis` :mod:`django.contrib.gis`
^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment