Closed ksurya closed 10 years ago
Another solution to fix the kind of attacks described in the commit https://github.com/scipy/SciPyCentral/commit/9cec5bf1fac3cc125342eb5f7138aa84fb6cd265 is to cryptographically sign the values. The API can be found at https://docs.djangoproject.com/en/1.4/topics/signing/.
This solution requires to make fewer changes in the source code and simply can be done at form validation level. Thus the very possibility of this bug is removed.
As with the current master: The site is unable to create
Revisions
to existingSubmissions
. I tested the changes and found that, https://github.com/scipy/SciPyCentral/commit/9cec5bf1fac3cc125342eb5f7138aa84fb6cd265 is where the trouble has started.The code seems to work fine until the page where
cancel, preview, submit
buttons are shown. Upon clickingsubmit
button, its supposed to create a revision to existing submission but its creating a new submission!Probable reasons for issue:
After clicking "submit" button which triggers
new_or_edit_submission
view is passingNone
object as submission argument tocreate_or_edit_submission_revision
which is why a new submission is created.