Merge pull request #3794 from csalazar/whitelist-form-methods-in-from…

…response [MRG+1] Fix form methods in FormRequest.from_response (#3777)
scrapy · Jul 2, 2019 · 9aec785 · 9aec785
2 parents 3adf09b + 2e4dc20
commit 9aec785
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/scrapy/http/request/form.py b/scrapy/http/request/form.py
@@ -18,6 +18,7 @@
 
 
 class FormRequest(Request):
+    valid_form_methods = ['GET', 'POST']
 
     def __init__(self, *args, **kwargs):
         formdata = kwargs.pop('formdata', None)
@@ -48,7 +49,13 @@ def from_response(cls, response, formname=None, formid=None, formnumber=0, formd
         form = _get_form(response, formname, formid, formnumber, formxpath)
         formdata = _get_inputs(form, formdata, dont_click, clickdata, response)
         url = _get_form_url(form, kwargs.pop('url', None))
+
         method = kwargs.pop('method', form.method)
+        if method is not None:
+            method = method.upper()
+            if method not in cls.valid_form_methods:
+                method = 'GET'
+
         return cls(url=url, method=method, formdata=formdata, **kwargs)
 
 

diff --git a/tests/test_http_request.py b/tests/test_http_request.py
@@ -1105,6 +1105,20 @@ def test_from_response_css(self):
         self.assertRaises(ValueError, self.request_class.from_response,
                           response, formcss="input[name='abc']")
 
+    def test_from_response_valid_form_methods(self):
+        body = """<form action="post.php" method="%s">
+            <input type="hidden" name="one" value="1">
+            </form>"""
+
+        for method in self.request_class.valid_form_methods:
+            response = _buildresponse(body % method)
+            r = self.request_class.from_response(response)
+            self.assertEqual(r.method, method)
+
+        response = _buildresponse(body % 'UNKNOWN')
+        r = self.request_class.from_response(response)
+        self.assertEqual(r.method, 'GET')
+
 
 def _buildresponse(body, **kwargs):
     kwargs.setdefault('body', body)