Commit 5fa11b00 authored by Luke Plant's avatar Luke Plant
Browse files

Removed Django 1.2 compatibility fallback for contrib.comments forms hash. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15953 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent c922a046

django/contrib/comments/forms.py

+1 −13
Original line number Diff line number Diff line 
import datetime

import hashlib

import time

from django import forms

from django.forms.util import ErrorDict
@@ -47,11 +46,6 @@ class CommentSecurityForm(forms.Form): 
        expected_hash = self.generate_security_hash(**security_hash_dict)

        actual_hash = self.cleaned_data["security_hash"]

        if not constant_time_compare(expected_hash, actual_hash):

            # Fallback to Django 1.2 method for compatibility

            # PendingDeprecationWarning <- here to remind us to remove this

            # fallback in Django 1.5

            expected_hash_old = self._generate_security_hash_old(**security_hash_dict)

            if not constant_time_compare(expected_hash_old, actual_hash):

            raise forms.ValidationError("Security hash check failed.")

        return actual_hash
@@ -95,12 +89,6 @@ class CommentSecurityForm(forms.Form): 
        value = "-".join(info)

        return salted_hmac(key_salt, value).hexdigest()



    def _generate_security_hash_old(self, content_type, object_pk, timestamp):

        """Generate a (SHA1) security hash from the provided info."""

        # Django 1.2 compatibility

        info = (content_type, object_pk, timestamp, settings.SECRET_KEY)

        return hashlib.sha1("".join(info)).hexdigest()



class CommentDetailsForm(CommentSecurityForm):

    """

    Handles the specific details of the comment (name, comment, etc.).

tests/regressiontests/comment_tests/tests/comment_form_tests.py

+0 −18
Original line number Diff line number Diff line 
import hashlib

import time



from django.conf import settings
@@ -46,23 +45,6 @@ class CommentFormTests(CommentTestCase): 
    def testObjectPKTampering(self):

        self.tamperWithForm(object_pk="3")



    def testDjango12Hash(self):

        # Ensure we can use the hashes generated by Django 1.2

        a = Article.objects.get(pk=1)

        d = self.getValidData(a)



        content_type = d['content_type']

        object_pk = d['object_pk']

        timestamp = d['timestamp']



        # The Django 1.2 method hard-coded here:

        info = (content_type, object_pk, timestamp, settings.SECRET_KEY)

        security_hash = hashlib.sha1("".join(info)).hexdigest()



        d['security_hash'] = security_hash

        f = CommentForm(a, data=d)

        self.assertTrue(f.is_valid(), f.errors)



    def testSecurityErrors(self):

        f = self.tamperWithForm(honeypot="I am a robot")

        self.assertTrue("honeypot" in f.security_errors())