Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #1621 (closed defect: fixed)

Opened 11 years ago

Last modified 10 years ago

[TEST] CompoundFormField widget can sometimes bypass validation

Reported by: plewis Owned by: anonymous
Priority: normal Milestone: 1.1.x bugfix
Component: TurboGears Version:
Severity: normal Keywords:


If a CompoundFormField is defined in a Form (with an associated Schema for validation), it is possible for a crafted url (or form entry) to bypass validation. If the url does not include the widget at all, validation does not appear to occur unless there is a specific reference to the widget in the parameters for the target (validating) controller.

Furthermore, the widget parameter must have a default value of a dict in order for validation to always work. If the widget parameter has a default value of None (or no default value), then if the widget is missing from the url, validation will pass.

Attached are two files. One is a test project where the /index controller has a link that demonstrates good and bad behavior. The second is a patch to the turbogears 1.0 branch that contains tests showing the behavior in a bit more detail.

 Some discussion about the issue


compoundformtestproj.zip Download (103.3 KB) - added by plewis 11 years ago.
Test project showing the issue
compoundformfieldtest.patch Download (5.8 KB) - added by plewis 11 years ago.

Change History

Changed 11 years ago by plewis

Test project showing the issue

Changed 11 years ago by plewis

comment:1 Changed 11 years ago by Chris Arndt

  • Milestone changed from 1.0.4 to 1.1

comment:2 Changed 11 years ago by faide

  • Milestone changed from 1.5 to 1.1

comment:3 Changed 11 years ago by faide

  • Milestone changed from 1.1 to 1.1 maintenance

comment:4 Changed 10 years ago by chrisz

  • Status changed from new to closed
  • Resolution set to fixed

I checked this with TG 1.0.8, but I could not reproduce the problem.

When I run the test project (compoundformtestproj.zip), the last link redirects to the index page, as expected.

When I run the unit test file (compoundformfieldtest.patch), only the last test fails, but it fails only because it causes an error 500 in the response since the mandatory parameter "mywidget" is missing in the request, not because something is wrong with validation; if I add "mywidget=" then this test does not fail.

Also checked with the old TG revision r3782 corresponding to the test project, which could not reproduce the problem either. Only after installing the old FormEncode 0.7.1 package the tests started to fail. Seems this has been fixed somewhere between FormEncode 0.7.1 and 0.9, I guess in FormEncode changeset 3104. The test above seems a bit too special and complicated to be added to the standard test suite, I think we can rely on the FormEncode test added with mentioned changeset.

Note: See TracTickets for help on using tickets.