[Zope-CVS] CVS: Products/PluggableAuthService/plugins -
CookieAuthHelper.py:1.11
Jens Vagelpohl
jens at dataflake.org
Tue Nov 23 04:31:37 EST 2004
Update of /cvs-repository/Products/PluggableAuthService/plugins
In directory cvs.zope.org:/tmp/cvs-serv5300/plugins
Modified Files:
CookieAuthHelper.py
Log Message:
- Detect and prevent recursive redirecting in the CookieAuthHelper
if the login_form cannot be reached by the Anonymous User.
=== Products/PluggableAuthService/plugins/CookieAuthHelper.py 1.10 => 1.11 ===
--- Products/PluggableAuthService/plugins/CookieAuthHelper.py:1.10 Sat Nov 20 13:44:13 2004
+++ Products/PluggableAuthService/plugins/CookieAuthHelper.py Tue Nov 23 04:31:36 2004
@@ -163,6 +163,7 @@
def unauthorized(self):
req = self.REQUEST
resp = req['RESPONSE']
+
# If we set the auth cookie before, delete it now.
if resp.cookies.has_key(self.cookie_name):
del resp.cookies[self.cookie_name]
@@ -171,6 +172,7 @@
url = self.getLoginURL()
if url is not None:
came_from = req.get('came_from', None)
+
if came_from is None:
came_from = req.get('URL', '')
query = req.get('QUERY_STRING')
@@ -178,6 +180,20 @@
if not query.startswith('?'):
query = '?' + query
came_from = came_from + query
+ else:
+ # If came_from contains a value it means the user
+ # must be coming through here a second time
+ # Reasons could be typos when providing credentials
+ # or a redirect loop (see below)
+ req_url = req.get('URL', '')
+
+ if req_url and req_url == url:
+ # Oops... The login_form cannot be reached by the user -
+ # it might be protected itself due to misconfiguration -
+ # the only sane thing to do is to give up because we are
+ # in an endless redirect loop.
+ return 0
+
url = url + '?came_from=%s' % quote(came_from)
resp.redirect(url, lock=1)
return 1
More information about the Zope-CVS
mailing list