Hi all
information in login form not an absolute URL
Hello,
On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
On 2/7/11 12:04 PM, Adam GROSZER wrote:
Hello,
I'm not sure whether you open up a security hole there. Imagine that someone does a http://yoursite.com/@@loginform.html?camefrom=http://mysite.com We ended up with storing the camefrom URL in a session variable.
The redirect method in the zope publisher checks whether
the redirect
is "trusted" to go to a different host. The trusted arguments is "False" by default. I think will catch this situation just fine. Or doesn't it?
Well on the second look, it should. Then it might have been because Roger was just unsure about the zope.publisher version? He is on holiday this week... See r105125.
Adam, I have nothing to do with zope.pluggableauth. You probably mean z3c.authenticator and friends. Jan, why not use the same pattern like I changed to in z3c.authenticator. There the camefrom request part was replaced by session handling. On the other side, I think your changes are fine since, I guess someone from gocept, a long time ago, fixed and protected the redirect method. btw, there was also a proposal about improvments on old zope3 website. I don't konw if this proposals are still there and accessible. Regards Roger Ineichen
Let's wait what the other say.
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )