From 143ff5fb53d37ffe8fe487e857ade566ee34c0f5 Mon Sep 17 00:00:00 2001 From: Preston Holmes Date: Wed, 15 May 2013 16:14:28 -0700 Subject: [PATCH] Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation. SuspiciousOperations have been differentiated into subclasses, and are now logged to a 'django.security.*' logger. SuspiciousOperations that reach django.core.handlers.base.BaseHandler will now return a 400 instead of a 500. Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft for review. --- formtools/exceptions.py | 6 ++++++ formtools/wizard/storage/cookie.py | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 formtools/exceptions.py diff --git a/formtools/exceptions.py b/formtools/exceptions.py new file mode 100644 index 0000000..f07ac9f --- /dev/null +++ b/formtools/exceptions.py @@ -0,0 +1,6 @@ +from django.core.exceptions import SuspiciousOperation + + +class WizardViewCookieModified(SuspiciousOperation): + """Signature of cookie modified""" + pass diff --git a/formtools/wizard/storage/cookie.py b/formtools/wizard/storage/cookie.py index e803610..9bf6503 100644 --- a/formtools/wizard/storage/cookie.py +++ b/formtools/wizard/storage/cookie.py @@ -1,8 +1,8 @@ import json -from django.core.exceptions import SuspiciousOperation from django.core.signing import BadSignature +from django.contrib.formtools.exceptions import WizardViewCookieModified from django.contrib.formtools.wizard import storage @@ -21,7 +21,7 @@ class CookieStorage(storage.BaseStorage): except KeyError: data = None except BadSignature: - raise SuspiciousOperation('WizardView cookie manipulated') + raise WizardViewCookieModified('WizardView cookie manipulated') if data is None: return None return json.loads(data, cls=json.JSONDecoder)