search

jazzband / django-formtools

A set of high-level abstractions for Django forms
https://django-formtools.readthedocs.io
BSD 3-Clause "New" or "Revised" License
801 stars 135 forks source link

Convert QuerySet to list before pickling for matching hmac #96

Open felix-engelmann opened 7 years ago

felix-engelmann commented 7 years ago

The QuerySet of django includes fields which sometimes vary from query to query, at least with a Postgres backend. Therefore the pickled string is different which results in a different hash and a bad_hash result. Converting the QuerySet to a simple list does not weaken any security regarding malicious changes on the preview form.

felix-engelmann commented 5 years ago

I experienced problems of different HMACs in a production environment with multiple worker threads and DB connections. The tests do not really reflect this. Any suggestions?

codecov[bot] commented 3 years ago

Codecov Report

Merging #96 (ec6850d) into master (3b16167) will increase coverage by 0.22%. The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #96      +/-   ##
==========================================
+ Coverage   93.64%   93.86%   +0.22%     
==========================================
  Files          10       10              
  Lines         519      538      +19     
  Branches       65       73       +8     
==========================================
+ Hits          486      505      +19     
  Misses         20       20              
  Partials       13       13
Impacted Files Coverage Δ
formtools/utils.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 3b16167...ec6850d. Read the comment docs.