Flask-WTF update to 0.3.2 - security update
- Dan Jacob
- 2010-09-12 @ 11:53
I've issued a new release for Flask-WTF. This is a security release,
fixing a couple of CSRF issues, so I'd recommend anyone using this
package to update to the latest version.
Both of these cases should be rare edge cases, but nonetheless it's
important to have consistent behaviour throughout especially where
there are security concerns.
If you call validate() twice in a view, and all fields pass except for
csrf, the result will be False the first call, True the second:
form.validate() # False
form.validate() # True
The reason is this: when the validate_csrf() call is made, the token
is removed from the session and a new token is created. This is
essential to ensure once-only tokens. The field value however is set
with the new token in place. Again this is essential, so that the new
token is printed to the hidden tag, not the stale token.
However, validate() is called on the field data, even though this is
changed. This means that where the validation was previously False, it
is now True, as now the field data matches the session data.
Secondly, (and somewhat related), if "csrf" is the only field in your
form, this is passed in as a default value. Again this is essential in
order to display the correct value. However the problem is that the
default is used *unless* all the fields are overriden by a
dict/multidict. If the dict is empty, this equates to None (wrongly in
my view, but there you are) and the defaults are used instead.
To prevent both of these occurrences the form keeps an internal flag
to check csrf validation has been or should be done, whatever the
current value of the csrf field.