7 Feb
2011
7 Feb
'11
11:15 a.m.
On 2/7/11 12:04 PM, Adam GROSZER wrote:
Hello,
I'm not sure whether you open up a security hole there. Imagine that someone does a http://yoursite.com/@@loginform.html?camefrom=http://mysite.com We ended up with storing the camefrom URL in a session variable.
The redirect method in the zope publisher checks whether the redirect is "trusted" to go to a different host. The trusted arguments is "False" by default. I think will catch this situation just fine. Or doesn't it? regards, jw