Fix #38 -- Return 400 if the given step is not found

formtools/wizard/views.py

@@ -9,6 +9,7 @@
 from django.utils.decorators import classonlymethod
 from django.utils.translation import ugettext as _
 from django.utils import six
+from django.http import HttpResponseBadRequest
 
 from .storage import get_storage
 from .storage.exceptions import NoFileStorageConfigured
@@ -271,6 +272,12 @@ def post(self, *args, **kwargs):
 
         # Check if form was refreshed
         management_form = ManagementForm(self.request.POST, prefix=self.prefix)
+
+        field = '%s-current_step' % self.prefix
+        step_name = management_form.data.get(field, '')
+        if step_name not in dir(self.steps):
+            return HttpResponseBadRequest('Unknown step %s' % step_name)
+
         if not management_form.is_valid():
             raise ValidationError(
                 _('ManagementForm data is missing or has been tampered.'),

tests/wizard/wizardtests/tests.py

@@ -233,6 +233,19 @@ def test_form_refresh(self):
         self.assertEqual(response.status_code, 200)
 
 
+@skipIfCustomUser
+@override_settings(ROOT_URLCONF='tests.wizard.wizardtests.urls')
+class InvalidStepTests(TestCase):
+    def test_unknown_step_400(self):
+        for step in ('"', 'invalid-step', '-'):
+            response = self.client.post('/wiz_session/', {
+                'form1-name': 'Pony',
+                'form1-thirsty': '2',
+                'session_contact_wizard-current_step': step,
+            })
+            self.assertEqual(response.status_code, 400)
+
+
 @skipIfCustomUser
 @override_settings(ROOT_URLCONF='tests.wizard.wizardtests.urls')
 class SessionWizardTests(WizardTests, TestCase):