FormSet.is_valid() raises ValidationError

43 views
Skip to first unread message

Benoit Blanchon

unread,
Oct 29, 2019, 12:11:16 PM10/29/19
to Django users
Hi,

From what I understand, Form.is_valid() must return False when the form is invalid or incomplete.

BaseFormSet, however, raises a ValidationError with the message "ManagementForm data is missing or has been tampered with,"  when the management form has been tampered.

I think this is incorrect: BaseFormSet.is_valid() should catch this exception and return False; otherwise, it allows a malicious user to cause an error 500 by tampering the management form.

Best regards,
Benoit Blanchon
(Django version: 2.2.6)

Nijo Joseph

unread,
Nov 1, 2019, 11:49:29 AM11/1/19
to Django users
Hi,
  In case of <form method="post">
    <table>
        {{ formset }}
    </table>
</form> 
no probs. but in case of 
<form method="post">
    {{ formset.management_form }}
    <table>
        {% for form in formset %}
        {{ form }}
        {% endfor %}
    </table>
</form>

    {{ formset.management_form }} is required and of course       {% csrf_token %}. Ref https://docs.djangoproject.com/en/2.2/topics/forms/formsets/

Benoit Blanchon

unread,
Nov 4, 2019, 8:02:47 AM11/4/19
to django...@googlegroups.com
Hi!

Thank you very much for this answer, but that's not what I'm talking about.
I know that you must include the management form in the template, that's not the problem.

I worry about a malicious user (i.e., a hacker) that would purposely temper the management form in order to raise an exception on the server.
For example, he could write a loop can call "curl -X POST" repeatedly, which would flood the admins with "Internal Server Error" emails.

This is possible because BaseFormSet.is_valid() raises an exception when it should return False as a regular form.

Best Regards,
Benoit


--
You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/iR25bNRQA7w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/c78a89fd-b44b-4863-aee7-33646bf5114e%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages