-
-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Formtools chokes when ‘current_step’ has unexpected value #38
Labels
Comments
gchp
added a commit
to gchp/django-formtools
that referenced
this issue
Jun 5, 2015
gchp
added a commit
to gchp/django-formtools
that referenced
this issue
Aug 18, 2015
To echo this rather old issue: If I use
|
rixx
added a commit
to rixx/django-formtools
that referenced
this issue
Nov 8, 2018
rixx
added a commit
to rixx/django-formtools
that referenced
this issue
Aug 13, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I tested in 1.6 but it looks like this behaviour is still the same:
https://github.com/django/django-formtools/blob/master/formtools/wizard/views.py#L408
A user has been tampering with the
current_step
part of a POST request that is part of a the Django Form Wizard. The current step should be something like ‘request-sim’ but the user changes it to ‘-’. Formtools does not seems to check whether the step actually exists. So it raises a KeyError when trying to access it.Could this error be handled more gracefully? Catch the
KeyError
and respond with a Bad request if thestep
has been tampered with?Thanks a bunch for Django+formtools,
Cheers!
This is the exception:
This is the data from the post request:
The text was updated successfully, but these errors were encountered: