Hello, I'm not sure whether you open up a security hole there. Imagine that someone does a http://yoursite.com/@@loginform.html?camefrom=http://mysite.com We ended up with storing the camefrom URL in a session variable. On Mon, 07 Feb 2011 10:42:33 +0100 you wrote:
Hi,
The SessionCredentialsPlugin will redirect to a login form whenever a user needs to be authenticated. The URL to this login form will have a "camefrom" query string, where the "camefrom" is the path-information to the originally requested view.
When the credentials provided by the user are correct, the login form will use the camefrom information to redirect back to that original view.
Ideally (a.k.a. according to the HTTP spec.), the camefrom should be an absolute URL, not just a path like the SessionCredentialsPlugin now does.
I'd like to fix and release zope.pluggableauth with the following patch applied - unless of course there's compelling reasons not to do this:
--- trunk/src/zope/pluggableauth/plugins/session.py 2011-02-07 10:33:25.643791415 +0100 +++ branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py 2011-02-07 10:40:12.301790203 +0100 @@ -308,7 +308,7 @@ # Better to add the query string, if present query = request.get('QUERY_STRING')
- camefrom = '/'.join([request.getURL(path_only=True)] + stack) + camefrom = '/'.join([request.getURL()] + stack) if query: camefrom = camefrom + '?' + query url = '%s/@@%s?%s' % (absoluteURL(site, request),
regards, jw
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
-- Best regards, Adam GROSZER -- Quote of the day: Man who falls in vat of molten optical glass makes spectacle of self.