修复部分代码漏洞

4 years ago · ef8174d7a7
parent c112a21f4f
commit ef8174d7a7
8 changed files with 23 additions and 69 deletions
--- a/accounts/views.py
+++ b/accounts/views.py
@ -35,6 +35,10 @@ class RegisterView(FormView):
    form_class = RegisterForm
    template_name = 'account/registration_form.html'

+    @method_decorator(csrf_protect)
+    def dispatch(self, *args, **kwargs):
+        return super(RegisterView, self).dispatch(*args, **kwargs)
+
    def form_valid(self, form):
        if form.is_valid():
            user = form.save(False)
--- a/blog/templatetags/blog_tags.py
+++ b/blog/templatetags/blog_tags.py
@ -53,7 +53,7 @@ def custom_markdown(content):
 def get_markdown_toc(content):
    from djangoblog.utils import CommonMarkdown
    body, toc = CommonMarkdown.get_markdown_with_toc(content)
-    return mark_safe(toc), mark_safe(body)
+    return mark_safe(toc)


@register.filter(is_safe=True)
--- a/blog/views.py
+++ b/blog/views.py
@ -4,7 +4,6 @@ import logging
 import os
 import uuid

-from django import forms
 from django.conf import settings
 from django.http import HttpResponse, HttpResponseForbidden
 from django.shortcuts import get_object_or_404
@ -117,17 +116,7 @@ class ArticleDetailView(DetailView):
        return obj

    def get_context_data(self, **kwargs):
-        articleid = int(self.kwargs[self.pk_url_kwarg])
        comment_form = CommentForm()
-        user = self.request.user
-        # 如果用户已经登录，则隐藏邮件和用户名输入框
-        if user.is_authenticated and not user.is_anonymous and user.email and user.username:
-            comment_form.fields.update({
-                'email': forms.CharField(widget=forms.HiddenInput()),
-                'name': forms.CharField(widget=forms.HiddenInput()),
-            })
-            comment_form.fields["email"].initial = user.email
-            comment_form.fields["name"].initial = user.username

        article_comments = self.object.comment_list()

--- a/comments/forms.py
+++ b/comments/forms.py
@ -5,16 +5,6 @@ from .models import Comment


 class CommentForm(ModelForm):
-    url = forms.URLField(label='网址', required=False)
-    email = forms.EmailField(label='电子邮箱', required=True)
-    name = forms.CharField(
-        label='姓名',
-        widget=forms.TextInput(
-            attrs={
-                'value': "",
-                'size': "30",
-                'maxlength': "245",
-                'aria-required': 'true'}))
    parent_comment_id = forms.IntegerField(
        widget=forms.HiddenInput, required=False)

--- a/comments/tests.py
+++ b/comments/tests.py
@ -41,34 +41,32 @@ class CommentsTest(TestCase):
        article.status = 'p'
        article.save()

-        commenturl = reverse(
+        comment_url = reverse(
            'comments:postcomment', kwargs={
                'article_id': article.id})

-        response = self.client.post(commenturl,
+        response = self.client.post(comment_url,
                                    {
                                        'body': '123ffffffffff'
                                    })

-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 302)

        article = Article.objects.get(pk=article.pk)
-        self.assertEqual(len(article.comment_list()), 0)
+        self.assertEqual(len(article.comment_list()), 1)

-        response = self.client.post(commenturl,
+        response = self.client.post(comment_url,
                                    {
                                        'body': '123ffffffffff',
-                                        'email': user.email,
-                                        'name': user.username
                                    })

        self.assertEqual(response.status_code, 302)

        article = Article.objects.get(pk=article.pk)
-        self.assertEqual(len(article.comment_list()), 1)
+        self.assertEqual(len(article.comment_list()), 2)
        parent_comment_id = article.comment_list()[0].id

-        response = self.client.post(commenturl,
+        response = self.client.post(comment_url,
                                    {
                                        'body': '''
                                        # Title1
@ -83,15 +81,13 @@ class CommentsTest(TestCase):


        ''',
-                                        'email': user.email,
-                                        'name': user.username,
                                        'parent_comment_id': parent_comment_id
                                    })

        self.assertEqual(response.status_code, 302)

        article = Article.objects.get(pk=article.pk)
-        self.assertEqual(len(article.comment_list()), 2)
+        self.assertEqual(len(article.comment_list()), 3)
        comment = Comment.objects.get(id=parent_comment_id)
        tree = parse_commenttree(article.comment_list(), comment)
        self.assertEqual(len(tree), 1)
--- a/comments/views.py
+++ b/comments/views.py
@ -1,7 +1,7 @@
 # Create your views here.
-from django import forms
-from django.contrib.auth import get_user_model
 from django.http import HttpResponseRedirect
+from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_protect
 from django.views.generic.edit import FormView

 from blog.models import Article
@ -13,6 +13,10 @@ class CommentPostView(FormView):
    form_class = CommentForm
    template_name = 'blog/article_detail.html'

+    @method_decorator(csrf_protect)
+    def dispatch(self, *args, **kwargs):
+        return super(CommentPostView, self).dispatch(*args, **kwargs)
+
    def get(self, request, *args, **kwargs):
        article_id = self.kwargs['article_id']

@ -23,16 +27,6 @@ class CommentPostView(FormView):
    def form_invalid(self, form):
        article_id = self.kwargs['article_id']
        article = Article.objects.get(pk=article_id)
-        u = self.request.user
-
-        if self.request.user.is_authenticated:
-            form.fields.update({
-                'email': forms.CharField(widget=forms.HiddenInput()),
-                'name': forms.CharField(widget=forms.HiddenInput()),
-            })
-            user = self.request.user
-            form.fields["email"].initial = user.email
-            form.fields["name"].initial = user.username

        return self.render_to_response({
            'form': form,
@ -45,13 +39,7 @@ class CommentPostView(FormView):

        article_id = self.kwargs['article_id']
        article = Article.objects.get(pk=article_id)
-        if not self.request.user.is_authenticated:
-            email = form.cleaned_data['email']
-            username = form.cleaned_data['name']

-            user = get_user_model().objects.get_or_create(
-                username=username, email=email)[0]
-            # auth.login(self.request, user)
        comment = form.save(False)
        comment.article = article

--- a/templates/blog/tags/article_info.html
+++ b/templates/blog/tags/article_info.html
@ -51,16 +51,16 @@
            <p class='read-more'><a
                    href=' {{ article.get_absolute_url }}'>Read more</a></p>
        {% else %}
-            {% get_markdown_toc article.body as markdown %}
-            {% if article.show_toc %}

+            {% if article.show_toc %}
+                {% get_markdown_toc article.body as toc %}
                <b>目录:</b>
-                {{ markdown.0|safe }}
+                {{ toc|safe }}

                <hr class="break_line"/>
            {% endif %}
            <div class="article">
-                {{ markdown.1|safe }}
+                {{ article.body|custom_markdown|escape }}
            </div>
        {% endif %}

--- a/templates/comments/tags/post_comment.html
+++ b/templates/comments/tags/post_comment.html
@ -13,19 +13,6 @@
                {{ form.body }}
                {{ form.body.errors }}
            </p>
-            <p class="comment-form-author">
-                {% if not form.name.is_hidden %}
-                    {{ form.name.label_tag }}
-                {% endif %}
-                {{ form.name }}
-                {{ form.name.errors }}
-            <p class="comment-form-email">
-                {% if not form.email.is_hidden %}
-                    {{ form.email.label_tag }}
-                {% endif %}
-                {{ form.email }}
-                {{ form.email.errors }}
-            </p>
            {{ form.parent_comment_id }}
            <div class="form-submit">
                <span class="comment-markdown"> 支持markdown</span>