修复部分代码漏洞

Author: liangliangyy

accounts/views.py

@@ -35,6 +35,10 @@ class RegisterView(FormView):
     form_class = RegisterForm
     template_name = 'account/registration_form.html'
 
+    @method_decorator(csrf_protect)
+    def dispatch(self, *args, **kwargs):
+        return super(RegisterView, self).dispatch(*args, **kwargs)
+
     def form_valid(self, form):
         if form.is_valid():
             user = form.save(False)

blog/templatetags/blog_tags.py

@@ -53,7 +53,7 @@ def custom_markdown(content):
 def get_markdown_toc(content):
     from djangoblog.utils import CommonMarkdown
     body, toc = CommonMarkdown.get_markdown_with_toc(content)
-    return mark_safe(toc), mark_safe(body)
+    return mark_safe(toc)
 
 
 @register.filter(is_safe=True)

blog/views.py

@@ -4,7 +4,6 @@
 import os
 import uuid
 
-from django import forms
 from django.conf import settings
 from django.http import HttpResponse, HttpResponseForbidden
 from django.shortcuts import get_object_or_404
@@ -117,17 +116,7 @@ def get_object(self, queryset=None):
         return obj
 
     def get_context_data(self, **kwargs):
-        articleid = int(self.kwargs[self.pk_url_kwarg])
         comment_form = CommentForm()
-        user = self.request.user
-        # 如果用户已经登录，则隐藏邮件和用户名输入框
-        if user.is_authenticated and not user.is_anonymous and user.email and user.username:
-            comment_form.fields.update({
-                'email': forms.CharField(widget=forms.HiddenInput()),
-                'name': forms.CharField(widget=forms.HiddenInput()),
-            })
-            comment_form.fields["email"].initial = user.email
-            comment_form.fields["name"].initial = user.username
 
         article_comments = self.object.comment_list()
 

comments/forms.py

@@ -5,16 +5,6 @@
 
 
 class CommentForm(ModelForm):
-    url = forms.URLField(label='网址', required=False)
-    email = forms.EmailField(label='电子邮箱', required=True)
-    name = forms.CharField(
-        label='姓名',
-        widget=forms.TextInput(
-            attrs={
-                'value': "",
-                'size': "30",
-                'maxlength': "245",
-                'aria-required': 'true'}))
     parent_comment_id = forms.IntegerField(
         widget=forms.HiddenInput, required=False)
 

comments/tests.py

@@ -41,34 +41,32 @@ def test_validate_comment(self):
         article.status = 'p'
         article.save()
 
-        commenturl = reverse(
+        comment_url = reverse(
             'comments:postcomment', kwargs={
                 'article_id': article.id})
 
-        response = self.client.post(commenturl,
+        response = self.client.post(comment_url,
                                     {
                                         'body': '123ffffffffff'
                                     })
 
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 302)
 
         article = Article.objects.get(pk=article.pk)
-        self.assertEqual(len(article.comment_list()), 0)
+        self.assertEqual(len(article.comment_list()), 1)
 
-        response = self.client.post(commenturl,
+        response = self.client.post(comment_url,
                                     {
                                         'body': '123ffffffffff',
-                                        'email': user.email,
-                                        'name': user.username
                                     })
 
         self.assertEqual(response.status_code, 302)
 
         article = Article.objects.get(pk=article.pk)
-        self.assertEqual(len(article.comment_list()), 1)
+        self.assertEqual(len(article.comment_list()), 2)
         parent_comment_id = article.comment_list()[0].id
 
-        response = self.client.post(commenturl,
+        response = self.client.post(comment_url,
                                     {
                                         'body': '''
                                         # Title1
@@ -83,15 +81,13 @@ def test_validate_comment(self):
 
 
         ''',
-                                        'email': user.email,
-                                        'name': user.username,
                                         'parent_comment_id': parent_comment_id
                                     })
 
         self.assertEqual(response.status_code, 302)
 
         article = Article.objects.get(pk=article.pk)
-        self.assertEqual(len(article.comment_list()), 2)
+        self.assertEqual(len(article.comment_list()), 3)
         comment = Comment.objects.get(id=parent_comment_id)
         tree = parse_commenttree(article.comment_list(), comment)
         self.assertEqual(len(tree), 1)

comments/views.py

@@ -1,7 +1,7 @@
 # Create your views here.
-from django import forms
-from django.contrib.auth import get_user_model
 from django.http import HttpResponseRedirect
+from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_protect
 from django.views.generic.edit import FormView
 
 from blog.models import Article
@@ -13,6 +13,10 @@ class CommentPostView(FormView):
     form_class = CommentForm
     template_name = 'blog/article_detail.html'
 
+    @method_decorator(csrf_protect)
+    def dispatch(self, *args, **kwargs):
+        return super(CommentPostView, self).dispatch(*args, **kwargs)
+
     def get(self, request, *args, **kwargs):
         article_id = self.kwargs['article_id']
 
@@ -23,16 +27,6 @@ def get(self, request, *args, **kwargs):
     def form_invalid(self, form):
         article_id = self.kwargs['article_id']
         article = Article.objects.get(pk=article_id)
-        u = self.request.user
-
-        if self.request.user.is_authenticated:
-            form.fields.update({
-                'email': forms.CharField(widget=forms.HiddenInput()),
-                'name': forms.CharField(widget=forms.HiddenInput()),
-            })
-            user = self.request.user
-            form.fields["email"].initial = user.email
-            form.fields["name"].initial = user.username
 
         return self.render_to_response({
             'form': form,
@@ -45,13 +39,7 @@ def form_valid(self, form):
 
         article_id = self.kwargs['article_id']
         article = Article.objects.get(pk=article_id)
-        if not self.request.user.is_authenticated:
-            email = form.cleaned_data['email']
-            username = form.cleaned_data['name']
 
-            user = get_user_model().objects.get_or_create(
-                username=username, email=email)[0]
-            # auth.login(self.request, user)
         comment = form.save(False)
         comment.article = article
 

templates/blog/tags/article_info.html

@@ -51,16 +51,16 @@ <h1 class="entry-title">
             <p class='read-more'><a
                     href=' {{ article.get_absolute_url }}'>Read more</a></p>
         {% else %}
-            {% get_markdown_toc article.body as markdown %}
-            {% if article.show_toc %}
 
+            {% if article.show_toc %}
+                {% get_markdown_toc article.body as toc %}
                 <b>目录:</b>
-                {{ markdown.0|safe }}
+                {{ toc|safe }}
 
                 <hr class="break_line"/>
             {% endif %}
             <div class="article">
-                {{ markdown.1|safe }}
+                {{ article.body|custom_markdown|escape }}
             </div>
         {% endif %}
 

templates/comments/tags/post_comment.html

@@ -13,19 +13,6 @@ <h3 id="reply-title" class="comment-reply-title">发表评论
                 {{ form.body }}
                 {{ form.body.errors }}
             </p>
-            <p class="comment-form-author">
-                {% if not form.name.is_hidden %}
-                    {{ form.name.label_tag }}
-                {% endif %}
-                {{ form.name }}
-                {{ form.name.errors }}
-            <p class="comment-form-email">
-                {% if not form.email.is_hidden %}
-                    {{ form.email.label_tag }}
-                {% endif %}
-                {{ form.email }}
-                {{ form.email.errors }}
-            </p>
             {{ form.parent_comment_id }}
             <div class="form-submit">
                 <span class="comment-markdown"> 支持markdown</span>