Add basket post data to the form when invalid (#3911)

src/oscar/apps/basket/views.py

@@ -1,5 +1,6 @@
 from django import shortcuts
 from django.contrib import messages
+from django.contrib.sessions.serializers import JSONSerializer
 from django.core.exceptions import ObjectDoesNotExist
 from django.http import JsonResponse, QueryDict
 from django.shortcuts import redirect
@@ -332,6 +333,13 @@ class BasketAddView(FormView):
         clean_msgs = [m.replace('* ', '') for m in msgs if m.startswith('* ')]
         messages.error(self.request, ",".join(clean_msgs))
 
+        # We serialize the POST data with JSONSerializer before adding it to the session.
+        # Without this, we could expose the site to a security vulnerability
+        # if the SESSION_SERIALIZER has been configured to 'django.contrib.sessions.serializers.PickleSerializer'.
+        # see: https://docs.djangoproject.com/en/3.2/topics/http/sessions/#cookie-session-backend
+        serialized_data = JSONSerializer().dumps(self.request.POST)
+        self.request.session["add_to_basket_form_post_data_%s" % self.product.pk] = serialized_data.decode("latin-1")
+
         return redirect_to_referrer(self.request, 'basket:summary')
 
     def form_valid(self, form):

src/oscar/templatetags/basket_tags.py

@@ -1,4 +1,5 @@
 from django import template
+from django.contrib.sessions.serializers import JSONSerializer
 
 from oscar.core.loading import get_class, get_model
 
@@ -24,6 +25,11 @@ def basket_form(request, product, quantity_type='single'):
     if quantity_type == QNT_SINGLE:
         form_class = SimpleAddToBasketForm
 
-    form = form_class(request.basket, product=product, initial=initial)
+    basket_post_data = request.session.pop("add_to_basket_form_post_data_%s" % product.pk, None)
+
+    if basket_post_data is not None:
+        basket_post_data = JSONSerializer().loads(basket_post_data.encode("latin-1"))
+
+    form = form_class(request.basket, data=basket_post_data, product=product, initial=initial)
 
     return form

tests/functional/basket/test_manipulation.py

@@ -1,7 +1,12 @@
 from oscar.apps.basket import models
+from oscar.core.loading import get_model
 from oscar.test import factories
 from oscar.test.testcases import WebTestCase
 
+Option = get_model("catalogue", "Option")
+AttributeOptionGroup = get_model("catalogue", "AttributeOptionGroup")
+AttributeOption = get_model("catalogue", "AttributeOption")
+
 
 class TestAddingToBasket(WebTestCase):
 
@@ -34,3 +39,33 @@ class TestAddingToBasket(WebTestCase):
 
         basket = baskets[0]
         self.assertEqual(3, basket.num_items)
+
+    def test_validation_errors_in_form(self):
+        product = factories.ProductFactory()
+        product_class = product.get_product_class()
+        group = AttributeOptionGroup.objects.create(name="checkbox options")
+        AttributeOption.objects.create(group=group, option="1")
+        AttributeOption.objects.create(group=group, option="2")
+
+        option = Option.objects.create(
+            type=Option.CHECKBOX,
+            required=True,
+            name="Required checkbox",
+            option_group=group
+        )
+        text_option = Option.objects.create(type=Option.TEXT, required=False, name="Open tekst")
+
+        product_class.options.add(option)
+        product_class.options.add(text_option)
+        product_class.save()
+
+        detail_page = self.get(product.get_absolute_url())
+        detail_page.forms["add_to_basket_form"]["open-tekst"] = "test harrie"
+        response = detail_page.forms['add_to_basket_form'].submit().follow()
+
+        self.assertEqual(response.forms["add_to_basket_form"]["open-tekst"].value, "test harrie")
+        baskets = models.Basket.objects.all()
+        self.assertEqual(1, len(baskets))
+
+        basket = baskets[0]
+        self.assertEqual(0, basket.lines.count())