Formsets should sign/verify max_num
|Reported by:||jacob||Owned by:||andrewsg|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Originally reported in 2011 by Miloslav Pojman:
The problem is that formsets accept its max_num from data submitted by the user and ignore a value set in the code. It means that user can bypass any formset max_num check. For example: a user has paid for two persons so I will offer him formsets with max_num=2 in order to make an order. If he tampers the form data he can send orders for any number of persons. In case of model formsets it means that any number of orders will be saved to a database despite the max_num value.
We should sign and verify max_num.
Change History (6)
comment:3 Changed 3 years ago by andrewsg
- Owner changed from nobody to andrewsg
- Status changed from new to assigned