I'm not sure if this is a real vulnerability, but I noticed that the code that checks the _formkey in the .accepts() method of FORM looks like this:
if session:
formkey = session.get('_formkey[%s]' % formname, None)
# check if user tampering with form and void CSRF
if formkey != request_vars._formkey:
status = False
So, even if you call form.accepts(request, session), if the session happens to be empty at that point, the code will not check whether the form includes a _formkey and whether that _formkey exists in the session. This means if you send a post request without sending a session cookie (or with a tampered cookie-based session), the _formkey check will be skipped and the submission will be allowed (assuming nothing else gets added to the session during the request and the action doesn't require login). I'm not sure there's really any circumstance in which this can be exploited, but to be safe, should we change the code to something like:
if session is not None:
formkey = session.get('_formkey[%s]' % formname, None)
# check if user tampering with form and void CSRF
if not formkey or formkey != request_vars._formkey:
status = False
That way, whenever you pass the session to .accepts(), submission will fail unless the form contains a _formkey and that _formkey is in the session.
Anthony