id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
17120	FormSet max_num can be bypassed and any number of forms saved	Miloslav Pojman	nobody	"I've reported this issue to security@djangoproject.com first. It is not considered to be security issue (see Russell's email bellow) so I open it here.

Formsets accept its max_num from data submitted by the user and ignore a value set in the code. It means that user can bypass any formset max_num check and save any number of forms he like.

For example: a user has paid for two persons so I will offer him formsets with max_num=2 in order to make an order. If he tampers the form data he can send orders for any number of persons. In case of model formsets it means that any number of orders will be saved to a database despite the max_num value.

On Fri, Oct 21, 2011 at 2:14 AM, Russell Keith-Magee <russell@djangoproject.com> wrote:
{{{

 We discussed this issue internally, and decided that it wasn't a
 security issue.

 I can certainly see why you raised this as an issue. It's certainly a
 reasonable assumption that max_num should be interpreted as a limit,
 and that it shouldn't be able to be tampered with by a user. To that
 end, it's definitely a bug; we should improve the documentation, and
 we should make whatever changes we need to make to ensure that max_num
 is handled server side, rather than relying on the client-provided
 value.

 An example that helps explain why this isn't a security issue.
 Consider the following case:

  * Page has a form with inlines, and max_num = 3. There is 1 existing
 inline object.
  * User 1 loads the edit page
  * User 2 loads the edit page
  * User 1 submits a POST containing 3 inlines (1 original plus 2 new entries)
  * User 2 submits a POST containing 3 inlines (1 original plus 2 new
 entries, different to those from User 1).

 In this case, both User1 and User2 have obeyed max_num in their forms,
 but User 2 will, in practice, violate the max_num rule. This situation
 exists even when max_num isn't being tampered with; so it highlights
 that max_num is really just a guidance for dynamic form layout, not a
 data validation control. If it were a validation condition, it would
 need to be handled at the model level, not the form level.

 Thank you very much for raising this as a security issue, and
 apologies again for the poor feedback on our part. If you raise this
 as a ticket, we can address the client-side modification issue as a
 normal bug.

 Yours,
 Russ Magee %-)

}}}
"	Bug	closed	Forms	1.3	Normal	fixed			Accepted	0	0	0	0	0	0