Re: [Django] #12273: django.contrib.formtools.utils.security_hash resulting in different pickled string on same data

Tue, 23 Feb 2010 17:03:57 -0800 

#12273: django.contrib.formtools.utils.security_hash resulting in different 
pickled
string on same data
-----------------------------------------------+----------------------------
          Reporter:  robhudson                 |         Owner:  kenseehart   
            Status:  closed                    |     Milestone:  1.2          
         Component:  django.contrib.formtools  |       Version:  1.1          
        Resolution:  worksforme                |      Keywords:  security hash
             Stage:  Accepted                  |     Has_patch:  0            
        Needs_docs:  1                         |   Needs_tests:  1            
Needs_better_patch:  0                         |  
-----------------------------------------------+----------------------------
Changes (by kenseehart):

  * status:  assigned => closed
  * needs_docs:  0 => 1
  * resolution:  => worksforme
  * needs_tests:  0 => 1

Comment:

 There is not enough information to reproduce the error.  Ideally, we need
 enough to create a test case that fails.

 Comments like "... From Step 2 to Step 3" are meaningless since there is
 no description of a sequence of steps.

 In the case described, it appears that only basic python types are used
 (lists, tuples, strings), but if that were the case, then I can't see how
 it would be possible for pickle to give two different results when repr
 gives the same result.  So it seems that some of the objects have repr
 that looks like a string repr.

 I am not sure that replacing pickle with repr is wise.  Using repr on such
 objects is dangerous because some objects could contain content that would
 cause problems for repr, whereas they would not cause problems for pickle.
 I don't see this as a security issue; just a possible cause of exceptions.

 Some kinds of objects, such as dictionaries, can differ in both repr and
 pickle for equal values, so repr is not necessarily an improvement over
 pickle in the general case.

 Therefore a description of how to cause this bug starting from a new
 Django installation is necessary.

 This bug can be reopened if a sequence of steps can be provided that
 allows us to reproduce the problem on a fresh Django install.

 Note: the current test suite does not cover utils.security_hash at all.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/12273#comment:3>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to