From bef622b440b871d1b22c04d5d75bdc11a45c5a9f Mon Sep 17 00:00:00 2001
From: Greg Chapple <gregchapple1@gmail.com>
Date: Fri, 5 Jun 2015 14:11:43 +0100
Subject: [PATCH] Fix #38 -- Return 400 if the given step is not found

---
 formtools/wizard/views.py         |  7 +++++++
 tests/wizard/wizardtests/tests.py | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/formtools/wizard/views.py b/formtools/wizard/views.py
index aeded43f..9922c74c 100644
--- a/formtools/wizard/views.py
+++ b/formtools/wizard/views.py
@@ -9,6 +9,7 @@
 from django.utils.decorators import classonlymethod
 from django.utils.translation import ugettext as _
 from django.utils import six
+from django.http import HttpResponseBadRequest
 
 from .storage import get_storage
 from .storage.exceptions import NoFileStorageConfigured
@@ -271,6 +272,12 @@ def post(self, *args, **kwargs):
 
         # Check if form was refreshed
         management_form = ManagementForm(self.request.POST, prefix=self.prefix)
+
+        field = '%s-current_step' % self.prefix
+        step_name = management_form.data.get(field, '')
+        if step_name not in dir(self.steps):
+            return HttpResponseBadRequest('Unknown step %s' % step_name)
+
         if not management_form.is_valid():
             raise ValidationError(
                 _('ManagementForm data is missing or has been tampered.'),
diff --git a/tests/wizard/wizardtests/tests.py b/tests/wizard/wizardtests/tests.py
index 17b5db7f..25ef683c 100644
--- a/tests/wizard/wizardtests/tests.py
+++ b/tests/wizard/wizardtests/tests.py
@@ -233,6 +233,19 @@ def test_form_refresh(self):
         self.assertEqual(response.status_code, 200)
 
 
+@skipIfCustomUser
+@override_settings(ROOT_URLCONF='tests.wizard.wizardtests.urls')
+class InvalidStepTests(TestCase):
+    def test_unknown_step_400(self):
+        for step in ('"', 'invalid-step', '-'):
+            response = self.client.post('/wiz_session/', {
+                'form1-name': 'Pony',
+                'form1-thirsty': '2',
+                'session_contact_wizard-current_step': step,
+            })
+            self.assertEqual(response.status_code, 400)
+
+
 @skipIfCustomUser
 @override_settings(ROOT_URLCONF='tests.wizard.wizardtests.urls')
 class SessionWizardTests(WizardTests, TestCase):