AddForm/EditForm request method not enforced to be POST (leading to CSRF)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
z3c.form |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
While the request method of the form is defined, it is not checked during data extraction for Add/Edit forms, such that data that is meant to be submitted in a POST request can also be done with a GET. This opens casual implementation/
A possible fix can be adding a check to the extractData method, have it validate whether the request.method is equal to the form instance's method, and/or have a new attribute that specifies which request methods are allowed, such as query forms where submitted data do not cause side effects.
Adding generic CSRF support to z3c.form has been discussed on the mailing list. At this point you need to take care of it manually in your own forms. The form framework doesn't promise you any protection, so it's a missing feature but not a bug from our perspective.
At some point the form framework might offer integrated support for it. You can read up on the discussion at https:/ /mail.zope. org/pipermail/ zope-dev/ 2011-April/ 042760. html