mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Fixed #22638 -- Changed CookieWizardView to ignore invalid cookies
This commit is contained in:
		| @@ -1,6 +0,0 @@ | ||||
| from django.core.exceptions import SuspiciousOperation | ||||
|  | ||||
|  | ||||
| class WizardViewCookieModified(SuspiciousOperation): | ||||
|     """Signature of cookie modified""" | ||||
|     pass | ||||
| @@ -1,6 +1,5 @@ | ||||
| from django.test import TestCase | ||||
| from django.core import signing | ||||
| from django.core.exceptions import SuspiciousOperation | ||||
| from django.http import HttpResponse | ||||
|  | ||||
| from django.contrib.auth.tests.utils import skipIfCustomUser | ||||
| @@ -25,7 +24,7 @@ class TestCookieStorage(TestStorage, TestCase): | ||||
|         self.assertEqual(storage.load_data(), {'key1': 'value1'}) | ||||
|  | ||||
|         storage.request.COOKIES[storage.prefix] = 'i_am_manipulated' | ||||
|         self.assertRaises(SuspiciousOperation, storage.load_data) | ||||
|         self.assertIsNone(storage.load_data()) | ||||
|  | ||||
|     def test_reset_cookie(self): | ||||
|         request = get_request() | ||||
|   | ||||
| @@ -1,8 +1,5 @@ | ||||
| import json | ||||
|  | ||||
| from django.core.signing import BadSignature | ||||
|  | ||||
| from django.contrib.formtools.exceptions import WizardViewCookieModified | ||||
| from django.contrib.formtools.wizard import storage | ||||
|  | ||||
|  | ||||
| @@ -16,12 +13,7 @@ class CookieStorage(storage.BaseStorage): | ||||
|             self.init_data() | ||||
|  | ||||
|     def load_data(self): | ||||
|         try: | ||||
|             data = self.request.get_signed_cookie(self.prefix) | ||||
|         except KeyError: | ||||
|             data = None | ||||
|         except BadSignature: | ||||
|             raise WizardViewCookieModified('WizardView cookie manipulated') | ||||
|         data = self.request.get_signed_cookie(self.prefix, default=None) | ||||
|         if data is None: | ||||
|             return None | ||||
|         return json.loads(data, cls=json.JSONDecoder) | ||||
|   | ||||
| @@ -45,7 +45,13 @@ Minor features | ||||
| :mod:`django.contrib.formtools` | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
|  | ||||
| * ... | ||||
| * A :doc:`form wizard </ref/contrib/formtools/form-wizard>` using the | ||||
|   :class:`~django.contrib.formtools.wizard.views.CookieWizardView` will now ignore | ||||
|   an invalid cookie, and the wizard will restart from the first step. An invalid | ||||
|   cookie can occur in cases of intentional manipulation, but also after a secret | ||||
|   key change. Previously, this would raise ``WizardViewCookieModified``, a | ||||
|   ``SuspiciousOperation``, causing an exception for any user with an invalid cookie | ||||
|   upon every request to the wizard, until the cookie is removed. | ||||
|  | ||||
| :mod:`django.contrib.gis` | ||||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user