Giter Site home page Giter Site logo

Comments (6)

mishbahr avatar mishbahr commented on July 17, 2024

for some reason this field is missing

We set the "referrer" value when we initialise the form.
See https://github.com/mishbahr/djangocms-forms/blob/master/djangocms_forms/cms_plugins.py#L123
So it should be rendered as a hidden form input in the template.

Can you tell me a scenario where this will not be the case?

from djangocms-forms.

mishbahr avatar mishbahr commented on July 17, 2024

We can't depend on HTTP_REFERER .. but we can always try to get HTTP_REFERER and fallback to root url i.e /

  • form.redirect_url
    or
  • form.cleaned_data.get('referrer', None)
    or
  • self.request.META.get('HTTP_REFERER', '/')

from djangocms-forms.

vstoykov avatar vstoykov commented on July 17, 2024

Request to '/forms/submit/` can be made not only by the plugin but also by some bots or vulnerability scanners.

We need to be exception safe and never return error 500, because this can lead to mail flood (if mail_admins error handler is used).

I prepared a patch in #40 which also adds another level of security by validating the URL with django.utils.http.is_safe_url

from djangocms-forms.

vstoykov avatar vstoykov commented on July 17, 2024

@mishbahr
Even after my patch there is another way of forcing error 500 with bad referrer value. I was wondering if it will be a good idea to make some validation in the form itself in clean_referrer method.

I can prepare a patch but I first wanted to ask you for more context before I start implementing anything.

By definition the value in referrer field will always be an absolute URL without domain (always starts with /) and never will be some "random" text that will describe the form (for example "Contact form" or something)?

If we assume that these are the restrictions then I can make necessary modifications and create another PR.

P.S. Is there a need to open another issue or you can reopen this one?

from djangocms-forms.

mishbahr avatar mishbahr commented on July 17, 2024

Can you give me examples of scenario where you are still getting a 500 error?

from djangocms-forms.

vstoykov avatar vstoykov commented on July 17, 2024

If referrer value is some string without any / in it. Then Django will think that this is named url and will try to resolve it when calling redirect(redirect_url). If there is no such named URL defined in urls.py then it will raise NoReverseMatch exception.

from djangocms-forms.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.