id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
20084	Formsets should sign/verify max_num	Jacob	andrewsg	"Originally reported in 2011 by Miloslav Pojman:

{{{
The problem is that formsets accept its max_num from data submitted by
the user and ignore a value set in the code. It means that user can
bypass any formset max_num check.

For example: a user has paid for two persons so I will offer him
formsets with max_num=2 in order to make an order. If he tampers the
form data he can send orders for any number of persons. In case of
model formsets it means that any number of orders will be saved to a
database despite the max_num value.
}}}

We should sign and verify max_num."	Bug	closed	Forms	1.5	Normal	fixed			Accepted	0	0	0	0	0	0