Skip to content

Formtools chokes when ‘current_step’ has unexpected value #38

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#224
Closed
Formtools chokes when ‘current_step’ has unexpected value#38
#224
Labels
bug
@codingisacopingstrategy

Description

@codingisacopingstrategy
codingisacopingstrategy
opened on Feb 20, 2015

Hello,

I tested in 1.6 but it looks like this behaviour is still the same:
https://github.com/django/django-formtools/blob/master/formtools/wizard/views.py#L408

A user has been tampering with the current_step part of a POST request that is part of a the Django Form Wizard. The current step should be something like ‘request-sim’ but the user changes it to ‘-’. Formtools does not seems to check whether the step actually exists. So it raises a KeyError when trying to access it.

Could this error be handled more gracefully? Catch the KeyError and respond with a Bad request if the step has been tampered with?

Thanks a bunch for Django+formtools,
Cheers!

This is the exception:

KeyError: u"'"

Stacktrace (most recent call last):

File "django/core/handlers/base.py", line 112, in get_response
  response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "django/views/generic/base.py", line 69, in view
  return self.dispatch(request, *args, **kwargs)
File "mvne/new_registration_wizard/views.py", line 106, in dispatch
  response = super(RegistrationWizardView, self).dispatch(request, *args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 236, in dispatch
  response = super(WizardView, self).dispatch(request, *args, **kwargs)
File "django/views/generic/base.py", line 87, in dispatch
  return handler(request, *args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 673, in post
  return super(NamedUrlWizardView, self).post(*args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 286, in post
  form = self.get_form(data=self.request.POST, files=self.request.FILES)
File "django/contrib/formtools/wizard/views.py", line 406, in get_form
  'prefix': self.get_form_prefix(step, self.form_list[step]),

This is the data from the post request:

u' order by 1000000000--'   u''
u'csrfmiddlewaretoken'  u'x77Ea73S7gcJlc3q1TbwjFnK4pics6PU'
u'echo phpinfo()'   u''
u'registration_wizard_view-current_step'    u'''
u'request-sim-mgm_form-friend'  u'0'
u'request-sim-sim_type_form-sim_type'   u’'

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions