Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Formtools chokes when ‘current_step’ has unexpected value #38

Closed
codingisacopingstrategy opened this issue Feb 20, 2015 · 1 comment · May be fixed by #224
Closed

Formtools chokes when ‘current_step’ has unexpected value #38

codingisacopingstrategy opened this issue Feb 20, 2015 · 1 comment · May be fixed by #224
Labels
bug

Comments

@codingisacopingstrategy
Copy link

Hello,

I tested in 1.6 but it looks like this behaviour is still the same:
https://github.com/django/django-formtools/blob/master/formtools/wizard/views.py#L408

A user has been tampering with the current_step part of a POST request that is part of a the Django Form Wizard. The current step should be something like ‘request-sim’ but the user changes it to ‘-’. Formtools does not seems to check whether the step actually exists. So it raises a KeyError when trying to access it.

Could this error be handled more gracefully? Catch the KeyError and respond with a Bad request if the step has been tampered with?

Thanks a bunch for Django+formtools,
Cheers!

This is the exception:

KeyError: u"'"

Stacktrace (most recent call last):

File "django/core/handlers/base.py", line 112, in get_response
  response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "django/views/generic/base.py", line 69, in view
  return self.dispatch(request, *args, **kwargs)
File "mvne/new_registration_wizard/views.py", line 106, in dispatch
  response = super(RegistrationWizardView, self).dispatch(request, *args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 236, in dispatch
  response = super(WizardView, self).dispatch(request, *args, **kwargs)
File "django/views/generic/base.py", line 87, in dispatch
  return handler(request, *args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 673, in post
  return super(NamedUrlWizardView, self).post(*args, **kwargs)
File "django/contrib/formtools/wizard/views.py", line 286, in post
  form = self.get_form(data=self.request.POST, files=self.request.FILES)
File "django/contrib/formtools/wizard/views.py", line 406, in get_form
  'prefix': self.get_form_prefix(step, self.form_list[step]),

This is the data from the post request:

u' order by 1000000000--'   u''
u'csrfmiddlewaretoken'  u'x77Ea73S7gcJlc3q1TbwjFnK4pics6PU'
u'echo phpinfo()'   u''
u'registration_wizard_view-current_step'    u'''
u'request-sim-mgm_form-friend'  u'0'
u'request-sim-sim_type_form-sim_type'   u’'
@jezdez jezdez added the bug label Mar 25, 2015
gchp added a commit to gchp/django-formtools that referenced this issue Jun 5, 2015
@gchp
Fix jazzband#38 -- Return 400 if the given step is not found
192f3f0
gchp added a commit to gchp/django-formtools that referenced this issue Aug 18, 2015
@gchp
Fix jazzband#38 -- Return 400 if the given step is not found
bef622b
@rixx
Copy link
Contributor

rixx commented Nov 8, 2018

To echo this rather old issue: If I use condition_dict to show some wizard steps only some of the time, and those conditions change unexpectedly, removing that step from the logic before the user submits their (already loaded page) – django-formtools leads to an exception.

File "/home/pretalx_prod/.local/lib/python3.7/site-packages/formtools/wizard/views.py" in next
  81.         return self._wizard.get_next_step()

File "/home/pretalx_prod/.local/lib/python3.7/site-packages/formtools/wizard/views.py" in get_next_step
  520.         key = keys.index(step) + 1

ValueError: 'broken_step' is not in list```

(For reference, this is the offending line: https://github.com/django/django-formtools/blob/master/formtools/wizard/views.py#L529). Checking that the step exists in the list seems a prudent precaution.

rixx added a commit to rixx/django-formtools that referenced this issue Nov 8, 2018
@rixx
Make code more resilient to a non-existing step
15d0cd4 
Closes jazzband#38
rixx added a commit to rixx/django-formtools that referenced this issue Aug 13, 2019
@rixx
Make code more resilient to a non-existing step
c0b7ed3 
Closes jazzband#38
@jsma jsma mentioned this issue Oct 29, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update ManagementForm to validate current_step jsma/django-formtools
3 participants
@jezdez @codingisacopingstrategy @rixx