#20084: Formsets should sign/verify max_num
------------------------------------+------------------------
Reporter: jacob | Owner: nobody
Type: Bug | Status: new
Component: Forms | Version: 1.5
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------+------------------------
Originally reported in 2011 by Miloslav Pojman:
{{{
The problem is that formsets accept its max_num from data submitted by
the user and ignore a value set in the code. It means that user can
bypass any formset max_num check.
For example: a user has paid for two persons so I will offer him
formsets with max_num=2 in order to make an order. If he tampers the
form data he can send orders for any number of persons. In case of
model formsets it means that any number of orders will be saved to a
database despite the max_num value.
}}}
We should sign and verify max_num.
--
Ticket URL: <https://code.djangoproject.com/ticket/20084>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
