Opened 10 years ago
Closed 10 years ago
#24836 closed Bug (fixed)
force_text doesn't force SimpleLazyObject into a string
Reported by: | Piotr Maliński | Owned by: | nobody |
---|---|---|---|
Component: | Utilities | Version: | 1.8 |
Severity: | Release blocker | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
With Django 1.8 https://github.com/django/django/commit/8099d33b6553c9ee7de779ae9d191a1bf22adbda csrf_token now is a SimpleLazyObject. In my view for Facebook authentication JavaScript made an ajax request to authenticate user and get data back. To get new csrf_token I used:
force_text(csrf(request).get('csrf_token'))
But now json can't encode SimpleLazyObject. Should force_text force it to string or maybe using vanilla json isn't recommended even more for anything-Django data?
Change History (13)
comment:1 by , 10 years ago
Resolution: | → worksforme |
---|---|
Status: | new → closed |
comment:2 by , 10 years ago
Resolution: | worksforme |
---|---|
Status: | closed → new |
It does compare to string but it's not a string:
>>> from django.utils.functional import SimpleLazyObject >>> from django.utils.encoding import force_text >>> force_text(SimpleLazyObject(lambda: 'aaa')) <SimpleLazyObject: 'aaa'>
so:
>>> force_text(SimpleLazyObject(lambda: 'aaa')) == 'aaa' True >>> import json >>> json.dumps(force_text(SimpleLazyObject(lambda: 'aaa'))) Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/lib/python3.4/json/__init__.py", line 230, in dumps return _default_encoder.encode(obj) File "/usr/lib/python3.4/json/encoder.py", line 186, in encode return encode_basestring_ascii(o) TypeError: first argument must be a string, not SimpleLazyObject
comment:3 by , 10 years ago
Component: | Utilities → CSRF |
---|---|
Severity: | Normal → Release blocker |
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Bug |
Asked on the original pull request if the author has an idea of how to fix it. If not, we could revert the breaking patch and add a test for this case (unless the performance benefits are deemed to be beneficial enough such that breaking backwards compatibility is okay).
comment:4 by , 10 years ago
It may also be a point for "force_text" - how much should it force to be a "text" instead of an object:
Similar to smart_text, except that lazy instances are resolved to strings, rather than kept as lazy objects.
comment:5 by , 10 years ago
Yes, it seems to me that this is just a bug in force_text
; it doesn't do what it says on the tin.
comment:6 by , 10 years ago
I'm not quite sure what the fix would look like, but I think force_text()
might need special knowledge of SimpleLazyObject
if we were to fix it there, which doesn't seem like a good separation of concerns. The docstring for SimpleLazyObject
says, "Designed for compound objects of unknown type. For builtins or objects of known type, use django.utils.functional.lazy."
Currently force_text()
does a six.text_type()
cast and type(force_text(obj)
-> SimpleLazyObject
if obj
is a SimpleLazyObject
.
comment:7 by , 10 years ago
I think the bug is in the interaction between the fact that SimpleLazyObject
overrides isinstance
checks in order to pretend to be its wrapped type, and the performance shortcut at the top of force_text
:
if isinstance(s, six.text_type): return s
So in the specific situation of a SimpleLazyObject
wrapping an object of six.text_type
, force_text
does nothing at all, it doesn't cast to six.test_type
. (If it actually did cast, we wouldn't have this problem; SimpleLazyObject
does not survive a type cast).
IMO the right fix would be to make the shortcut check stricter:
if issubclass(type(s), six.text_type): return s
Then force_text
would actually behave as its docstring claims, and resolve all lazy instances (including SimpleLazyObject
) to strings.
We could make the check even stricter and require an exact class match -- if type(s) is six.text_type
-- but then force_text
would begin reducing string subclasses to the base string class too. I don't have a clear intuition that it ought to do that, so I think I'd favor the issubclass
version.
comment:8 by , 10 years ago
Specifically, if type(s) is six.text_type
would cast a SafeText
instance to a plain string, so I'd say that issubclass
is the way to go in that case.
The problems with json.dumps
and the like come from that fact that deep down, on a C level, a SimpleLazyObject
is simply not a string. I don't believe that is something we can fix. Subclasses of six.text_type
don't have that problem.
comment:9 by , 10 years ago
Component: | CSRF → Utilities |
---|---|
Has patch: | set |
Patch needs improvement: | set |
PR, but have some test failures on Python 2 that need to be investigated.
comment:11 by , 10 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
I'm a bit scared by introducing such a low-level change in a stable release. Another scenario would be to revert Alex change in 1.8 and introduce this in master only.
I added this test to
tests/csrf_tests/tests.py
, but couldn't reproduce a problem:Could you please reopen if you can provide a snippet that reproduces a crash?