Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #549 from liangliangyy/dev
修复部分代码漏洞
  • Loading branch information
liangliangyy committed Feb 11, 2022
2 parents c112a21 + ef8174d commit e371090
Show file tree
Hide file tree
Showing 8 changed files with 23 additions and 69 deletions.
4 changes: 4 additions & 0 deletions accounts/views.py
Expand Up @@ -35,6 +35,10 @@ class RegisterView(FormView):
form_class = RegisterForm
template_name = 'account/registration_form.html'

@method_decorator(csrf_protect)
def dispatch(self, *args, **kwargs):
return super(RegisterView, self).dispatch(*args, **kwargs)

def form_valid(self, form):
if form.is_valid():
user = form.save(False)
Expand Down
2 changes: 1 addition & 1 deletion blog/templatetags/blog_tags.py
Expand Up @@ -53,7 +53,7 @@ def custom_markdown(content):
def get_markdown_toc(content):
from djangoblog.utils import CommonMarkdown
body, toc = CommonMarkdown.get_markdown_with_toc(content)
return mark_safe(toc), mark_safe(body)
return mark_safe(toc)


@register.filter(is_safe=True)
Expand Down
11 changes: 0 additions & 11 deletions blog/views.py
Expand Up @@ -4,7 +4,6 @@
import os
import uuid

from django import forms
from django.conf import settings
from django.http import HttpResponse, HttpResponseForbidden
from django.shortcuts import get_object_or_404
Expand Down Expand Up @@ -117,17 +116,7 @@ def get_object(self, queryset=None):
return obj

def get_context_data(self, **kwargs):
articleid = int(self.kwargs[self.pk_url_kwarg])
comment_form = CommentForm()
user = self.request.user
# 如果用户已经登录,则隐藏邮件和用户名输入框
if user.is_authenticated and not user.is_anonymous and user.email and user.username:
comment_form.fields.update({
'email': forms.CharField(widget=forms.HiddenInput()),
'name': forms.CharField(widget=forms.HiddenInput()),
})
comment_form.fields["email"].initial = user.email
comment_form.fields["name"].initial = user.username

article_comments = self.object.comment_list()

Expand Down
10 changes: 0 additions & 10 deletions comments/forms.py
Expand Up @@ -5,16 +5,6 @@


class CommentForm(ModelForm):
url = forms.URLField(label='网址', required=False)
email = forms.EmailField(label='电子邮箱', required=True)
name = forms.CharField(
label='姓名',
widget=forms.TextInput(
attrs={
'value': "",
'size': "30",
'maxlength': "245",
'aria-required': 'true'}))
parent_comment_id = forms.IntegerField(
widget=forms.HiddenInput, required=False)

Expand Down
20 changes: 8 additions & 12 deletions comments/tests.py
Expand Up @@ -41,34 +41,32 @@ def test_validate_comment(self):
article.status = 'p'
article.save()

commenturl = reverse(
comment_url = reverse(
'comments:postcomment', kwargs={
'article_id': article.id})

response = self.client.post(commenturl,
response = self.client.post(comment_url,
{
'body': '123ffffffffff'
})

self.assertEqual(response.status_code, 200)
self.assertEqual(response.status_code, 302)

article = Article.objects.get(pk=article.pk)
self.assertEqual(len(article.comment_list()), 0)
self.assertEqual(len(article.comment_list()), 1)

response = self.client.post(commenturl,
response = self.client.post(comment_url,
{
'body': '123ffffffffff',
'email': user.email,
'name': user.username
})

self.assertEqual(response.status_code, 302)

article = Article.objects.get(pk=article.pk)
self.assertEqual(len(article.comment_list()), 1)
self.assertEqual(len(article.comment_list()), 2)
parent_comment_id = article.comment_list()[0].id

response = self.client.post(commenturl,
response = self.client.post(comment_url,
{
'body': '''
# Title1
Expand All @@ -83,15 +81,13 @@ def test_validate_comment(self):
''',
'email': user.email,
'name': user.username,
'parent_comment_id': parent_comment_id
})

self.assertEqual(response.status_code, 302)

article = Article.objects.get(pk=article.pk)
self.assertEqual(len(article.comment_list()), 2)
self.assertEqual(len(article.comment_list()), 3)
comment = Comment.objects.get(id=parent_comment_id)
tree = parse_commenttree(article.comment_list(), comment)
self.assertEqual(len(tree), 1)
Expand Down
24 changes: 6 additions & 18 deletions comments/views.py
@@ -1,7 +1,7 @@
# Create your views here.
from django import forms
from django.contrib.auth import get_user_model
from django.http import HttpResponseRedirect
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_protect
from django.views.generic.edit import FormView

from blog.models import Article
Expand All @@ -13,6 +13,10 @@ class CommentPostView(FormView):
form_class = CommentForm
template_name = 'blog/article_detail.html'

@method_decorator(csrf_protect)
def dispatch(self, *args, **kwargs):
return super(CommentPostView, self).dispatch(*args, **kwargs)

def get(self, request, *args, **kwargs):
article_id = self.kwargs['article_id']

Expand All @@ -23,16 +27,6 @@ def get(self, request, *args, **kwargs):
def form_invalid(self, form):
article_id = self.kwargs['article_id']
article = Article.objects.get(pk=article_id)
u = self.request.user

if self.request.user.is_authenticated:
form.fields.update({
'email': forms.CharField(widget=forms.HiddenInput()),
'name': forms.CharField(widget=forms.HiddenInput()),
})
user = self.request.user
form.fields["email"].initial = user.email
form.fields["name"].initial = user.username

return self.render_to_response({
'form': form,
Expand All @@ -45,13 +39,7 @@ def form_valid(self, form):

article_id = self.kwargs['article_id']
article = Article.objects.get(pk=article_id)
if not self.request.user.is_authenticated:
email = form.cleaned_data['email']
username = form.cleaned_data['name']

user = get_user_model().objects.get_or_create(
username=username, email=email)[0]
# auth.login(self.request, user)
comment = form.save(False)
comment.article = article

Expand Down
8 changes: 4 additions & 4 deletions templates/blog/tags/article_info.html
Expand Up @@ -51,16 +51,16 @@ <h1 class="entry-title">
<p class='read-more'><a
href=' {{ article.get_absolute_url }}'>Read more</a></p>
{% else %}
{% get_markdown_toc article.body as markdown %}
{% if article.show_toc %}

{% if article.show_toc %}
{% get_markdown_toc article.body as toc %}
<b>目录:</b>
{{ markdown.0|safe }}
{{ toc|safe }}

<hr class="break_line"/>
{% endif %}
<div class="article">
{{ markdown.1|safe }}
{{ article.body|custom_markdown|escape }}
</div>
{% endif %}

Expand Down
13 changes: 0 additions & 13 deletions templates/comments/tags/post_comment.html
Expand Up @@ -13,19 +13,6 @@ <h3 id="reply-title" class="comment-reply-title">发表评论
{{ form.body }}
{{ form.body.errors }}
</p>
<p class="comment-form-author">
{% if not form.name.is_hidden %}
{{ form.name.label_tag }}
{% endif %}
{{ form.name }}
{{ form.name.errors }}
<p class="comment-form-email">
{% if not form.email.is_hidden %}
{{ form.email.label_tag }}
{% endif %}
{{ form.email }}
{{ form.email.errors }}
</p>
{{ form.parent_comment_id }}
<div class="form-submit">
<span class="comment-markdown"> 支持markdown</span>
Expand Down

0 comments on commit e371090

Please sign in to comment.