search

jazzband / django-formtools

A set of high-level abstractions for Django forms
https://django-formtools.readthedocs.io
BSD 3-Clause "New" or "Revised" License
815 stars 136 forks source link

Formtools chokes when ‘current_step’ has unexpected value #38

Closed codingisacopingstrategy closed 5 years ago

codingisacopingstrategy commented 9 years ago

Hello,

I tested in 1.6 but it looks like this behaviour is still the same: https://github.com/django/django-formtools/blob/master/formtools/wizard/views.py#L408

A user has been tampering with the current_step part of a POST request that is part of a the Django Form Wizard. The current step should be something like ‘request-sim’ but the user changes it to ‘-’. Formtools does not seems to check whether the step actually exists. So it raises a KeyError when trying to access it.

Could this error be handled more gracefully? Catch the KeyError and respond with a Bad request if the step has been tampered with?

Thanks a bunch for Django+formtools, Cheers!

This is the exception:

KeyError: u"'"

Stacktrace (most recent call last):

File "django/core/handlers/base.py", line 112, in get_response
  response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "django/views/generic/base.py", line 69, in view
  return self.dispatch(request, *args, **kwargs)
File "mvne/new_registration_wizard/views.py", line 106, in dispatch
  response = super(RegistrationWizardView, self).dispatch(request, *args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 236, in dispatch
  response = super(WizardView, self).dispatch(request, *args, **kwargs)
File "django/views/generic/base.py", line 87, in dispatch
  return handler(request, *args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 673, in post
  return super(NamedUrlWizardView, self).post(*args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 286, in post
  form = self.get_form(data=self.request.POST, files=self.request.FILES)
File "django/contrib/formtools/wizard/views.py", line 406, in get_form
  'prefix': self.get_form_prefix(step, self.form_list[step]),

This is the data from the post request:

u' order by 1000000000--'   u''
u'csrfmiddlewaretoken'  u'x77Ea73S7gcJlc3q1TbwjFnK4pics6PU'
u'echo phpinfo()'   u''
u'registration_wizard_view-current_step'    u'''
u'request-sim-mgm_form-friend'  u'0'
u'request-sim-sim_type_form-sim_type'   u’'
rixx commented 6 years ago

To echo this rather old issue: If I use condition_dict to show some wizard steps only some of the time, and those conditions change unexpectedly, removing that step from the logic before the user submits their (already loaded page) – django-formtools leads to an exception.


File "/home/pretalx_prod/.local/lib/python3.7/site-packages/formtools/wizard/views.py" in next
  81.         return self._wizard.get_next_step()

File "/home/pretalx_prod/.local/lib/python3.7/site-packages/formtools/wizard/views.py" in get_next_step
  520.         key = keys.index(step) + 1

ValueError: 'broken_step' is not in list```

(For reference, this is the offending line: https://github.com/django/django-formtools/blob/master/formtools/wizard/views.py#L529). Checking that the step exists in the list seems a prudent precaution.