librelist archives

« back to archive

Hidden Field Lost When Query Parameter is Present

Hidden Field Lost When Query Parameter is Present

From:
Raj Bala
Date:
2013-07-10 @ 16:38
Hello,

I'm using a hidden field on my forms to prevent CSRF.  The value of this
hidden field is lost when any query parameter is present.

Here's a simple example:
https://gist.github.com/rajbala/07dbb2e4d69b68b1c406

If I browse to http://localhost:5000 the CSRF token is present.

If I browse to http://localhost:5000?test the CSRF token is lost.

Am I doing something wrong or is this a bug?



Raj

Re: [flask] Hidden Field Lost When Query Parameter is Present

From:
Juan Pablo Scaletti
Date:
2013-07-10 @ 16:55
The problem is the way you are initialising the form:

form = LoginForm(request.values, csrf_token=csrf_token)

The WTForms documentation says:

__init__(formdata=None, obj=None, prefix='', **kwargs)¶
Parameters:	
formdata – ...
obj – ...
prefix – ...
**kwargs – If neither formdata or obj contains a value for a field, the 
form will assign the value of a matching keyword argument to the field, if
provided.
When visiting http://localhost:5000 , request.values is None and your 
csrf_token value is used.
But if a query parameter is present, like http://localhost:5000?test, 
request.values is not None anymore, and so any extra value, like your 
csrf_token, is ignored.


On Jul 10, 2013, at 11:38 AM, Raj Bala <raj@rajbala.com> wrote:

> 
> Hello,
> 
> I'm using a hidden field on my forms to prevent CSRF.  The value of this
hidden field is lost when any query parameter is present.  
> 
> Here's a simple example:  https://gist.github.com/rajbala/07dbb2e4d69b68b1c406
> 
> If I browse to http://localhost:5000 the CSRF token is present.  
> 
> If I browse to http://localhost:5000?test the CSRF token is lost.
> 
> Am I doing something wrong or is this a bug?
> 
> 
> 
> Raj

Re: [flask] Hidden Field Lost When Query Parameter is Present

From:
Brandon Sandrowicz
Date:
2013-07-10 @ 17:21
On Wed, Jul 10, 2013 at 11:55:01AM -0500, Juan Pablo Scaletti wrote:
> The problem is the way you are initialising the form:
> 
> form = LoginForm(request.values, csrf_token=csrf_token)
> 
> The WTForms documentation says:
> 
> __init__(formdata=None, obj=None, prefix='', **kwargs)¶
> Parameters:	
> formdata – ...
> obj – ...
> prefix – ...
> **kwargs – If neither formdata or obj contains a value for a field,
> the form will assign the value of a matching keyword argument to the
> field, if provided.
>
> When visiting http://localhost:5000 , request.values is None and your
> csrf_token value is used.
>
> But if a query parameter is present, like http://localhost:5000?test,
> request.values is not None anymore, and so any extra value, like your
> csrf_token, is ignored.

The documentation seems confusing though:

> If neither formdata or obj contains a value for a field, the form will
> assign the value of a matching keyword argument to the field, if
> provided.

This reads, to me, that if request.values contains no value for a key,
then the value for the key will be taken from kwargs. In this case, I
would expect the equivalent of this to happen:

    request.values.get('csrf_token', kwargs.get('csrf_token', None))

If what it *means* is that kwargs is ignored if formdata or obj is not
None, then the documentation needs to be more clear.
-- 
Brandon Sandrowicz
:
: web     => http://brandon.sandrowicz.org
: github  => http://github.com/bsandrow
: twitter => @bsandrow
: email   => brandon@sandrowicz.org

Re: [flask] Hidden Field Lost When Query Parameter is Present

From:
Anthony Ford
Date:
2013-07-10 @ 18:19
You can also try flask-wtf, which rolls in wtforms integration.
http://pythonhosted.org/Flask-WTF/

Anthony Ford
Center for Advanced Radio Astronomy
Univ. of Texas at Brownsville

Pardon any typos. Sent from mobile device.
On Jul 10, 2013 12:22 PM, "Brandon Sandrowicz" <brandon@sandrowicz.org>
wrote:

> On Wed, Jul 10, 2013 at 11:55:01AM -0500, Juan Pablo Scaletti wrote:
> > The problem is the way you are initialising the form:
> >
> > form = LoginForm(request.values, csrf_token=csrf_token)
> >
> > The WTForms documentation says:
> >
> > __init__(formdata=None, obj=None, prefix='', **kwargs)¶
> > Parameters:
> > formdata – ...
> > obj – ...
> > prefix – ...
> > **kwargs – If neither formdata or obj contains a value for a field,
> > the form will assign the value of a matching keyword argument to the
> > field, if provided.
> >
> > When visiting http://localhost:5000 , request.values is None and your
> > csrf_token value is used.
> >
> > But if a query parameter is present, like http://localhost:5000?test,
> > request.values is not None anymore, and so any extra value, like your
> > csrf_token, is ignored.
>
> The documentation seems confusing though:
>
> > If neither formdata or obj contains a value for a field, the form will
> > assign the value of a matching keyword argument to the field, if
> > provided.
>
> This reads, to me, that if request.values contains no value for a key,
> then the value for the key will be taken from kwargs. In this case, I
> would expect the equivalent of this to happen:
>
>     request.values.get('csrf_token', kwargs.get('csrf_token', None))
>
> If what it *means* is that kwargs is ignored if formdata or obj is not
> None, then the documentation needs to be more clear.
> --
> Brandon Sandrowicz
> :
> : web     => http://brandon.sandrowicz.org
> : github  => http://github.com/bsandrow
> : twitter => @bsandrow
> : email   => brandon@sandrowicz.org
>

Re: [flask] Hidden Field Lost When Query Parameter is Present

From:
michael kearney
Date:
2013-07-10 @ 18:41
[[[]]]

Re: [flask] Hidden Field Lost When Query Parameter is Present

From:
Raj Bala
Date:
2013-07-10 @ 17:16
That makes sense.  Would I only use request.values if I want to
pre-populate the form with values?

I'm using request.form to initialize the form and that works now.


On Wed, Jul 10, 2013 at 12:55 PM, Juan Pablo Scaletti <
juanpablo@jpscaletti.com> wrote:

> The problem is the way you are initialising the form:
>
> form = LoginForm(request.values, csrf_token=csrf_token)
>
> The WTForms documentation says:
>
> __init__(*formdata=None*, *obj=None*, *prefix=''*, 
***kwargs*)¶<http://wtforms.simplecodes.com/docs/0.6.1/forms.ht%20ml#wtforms.form.Form.__init__>
> Parameters:
>
>    - *formdata* – ...
>    - *obj* – ...
>    - *prefix* – ...
>    - ***kwargs* – *If neither formdata or obj contains a value for a
>    field, the form will assign the value of a matching keyword argument to the
>    field, if provided.*
>
> When visiting http://localhost:5000 , request.values is None and
> your csrf_token value is used.
> But if a query parameter is present, like 
http://localhost:5000?test<http://localhost:5000/?test>,
> request.values is not None anymore, and so any extra value, like
> your csrf_token, is ignored.
>
>
> On Jul 10, 2013, at 11:38 AM, Raj Bala <raj@rajbala.com> wrote:
>
>
> Hello,
>
> I'm using a hidden field on my forms to prevent CSRF.  The value of this
> hidden field is lost when any query parameter is present.
>
> Here's a simple example:
> https://gist.github.com/rajbala/07dbb2e4d69b68b1c406
>
> If I browse to http://localhost:5000 the CSRF token is present.
>
> If I browse to http://localhost:5000?test 
<http://localhost:5000/?test>the CSRF token is lost.
>
> Am I doing something wrong or is this a bug?
>
>
>
> Raj
>
>
>

Re: [flask] Hidden Field Lost When Query Parameter is Present

From:
Juan Pablo Scaletti
Date:
2013-07-10 @ 17:19
Apparently either the WTForms documentation is wrong or there is a bug in 
the library. It should not happen if the 'csrf_token` isn't in 
request.values

On Jul 10, 2013, at 12:16 PM, Raj Bala <raj@rajbala.com> wrote:

> That makes sense.  Would I only use request.values if I want to 
pre-populate the form with values?
> 
> I'm using request.form to initialize the form and that works now.
> 
> 
> On Wed, Jul 10, 2013 at 12:55 PM, Juan Pablo Scaletti 
<juanpablo@jpscaletti.com> wrote:
> The problem is the way you are initialising the form:
> 
> form = LoginForm(request.values, csrf_token=csrf_token)
> 
> The WTForms documentation says:
> 
> __init__(formdata=None, obj=None, prefix='', **kwargs)¶
> Parameters:	
> formdata – ...
> obj – ...
> prefix – ...
> **kwargs – If neither formdata or obj contains a value for a field, the 
form will assign the value of a matching keyword argument to the field, if
provided.
> When visiting http://localhost:5000 , request.values is None and your 
csrf_token value is used.
> But if a query parameter is present, like http://localhost:5000?test, 
request.values is not None anymore, and so any extra value, like your 
csrf_token, is ignored.
> 
> 
> On Jul 10, 2013, at 11:38 AM, Raj Bala <raj@rajbala.com> wrote:
> 
>> 
>> Hello,
>> 
>> I'm using a hidden field on my forms to prevent CSRF.  The value of 
this hidden field is lost when any query parameter is present.  
>> 
>> Here's a simple example:  https://gist.github.com/rajbala/07dbb2e4d69b68b1c406
>> 
>> If I browse to http://localhost:5000 the CSRF token is present.  
>> 
>> If I browse to http://localhost:5000?test the CSRF token is lost.
>> 
>> Am I doing something wrong or is this a bug?
>> 
>> 
>> 
>> Raj
> 
>