CSRF fails if there are only FileFields in the form

Issue #7 resolved
David Baumgold
created an issue

In <<changeset 119448003262>>, a change was introduced to make CSRF validation only happen if there was formdata. However, for a form with only a FileField, this change seems to cause CSRF validation to fail. Maybe it would make sense for validation to be skipped when there is no formdata -- //maybe// -- but it shouldn't fail.

An example form: {{{

!python

class UploadForm(wtf.Form): sheet = wtf.FileField('Character Sheet') submit = wtf.SubmitField("Upload") }}}

Perhaps there should be a configurable setting for whether or not forms without formdata should be CSRF validated?

Comments (2)

  1. Dan Jacob repo owner

    I've committed a change which checks for not just formdata but also request.files.

    The example uploadr app works fine (it consists of just the single file field, plus CSRF).

  2. Log in to comment