[Zope-dev] zope.pluggableauth and "camefrom" information in login form not an absolute URL

Adam GROSZER agroszer at gmail.com
Mon Feb 7 06:04:03 EST 2011 

Hello,

I'm not sure whether you open up a security hole there.
Imagine that someone does a
http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
We ended up with storing the camefrom URL in a session variable.

On Mon, 07 Feb 2011 10:42:33 +0100 you wrote:
>
> Hi,
>
> The SessionCredentialsPlugin will redirect to a login form whenever a
> user needs to be authenticated. The URL to this login form will have a
> "camefrom" query string, where the "camefrom" is the path-information to
> the originally requested view.
>
> When the credentials provided by the user are correct, the login form
> will use the camefrom information to redirect back to that original view.
>
> Ideally (a.k.a. according to the HTTP spec.), the camefrom should be an
> absolute URL, not just a path like the SessionCredentialsPlugin now does.
>
> I'd like to fix and release zope.pluggableauth with the following patch
> applied - unless of course there's compelling reasons not to do this:
>
> --- trunk/src/zope/pluggableauth/plugins/session.py	2011-02-07
> 10:33:25.643791415 +0100
> +++
> branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py
> 2011-02-07 10:40:12.301790203 +0100
> @@ -308,7 +308,7 @@
>            # Better to add the query string, if present
>            query = request.get('QUERY_STRING')
>
> -        camefrom = '/'.join([request.getURL(path_only=True)] + stack)
> +        camefrom = '/'.join([request.getURL()] + stack)
>            if query:
>                camefrom = camefrom + '?' + query
>            url = '%s/@@%s?%s' % (absoluteURL(site, request),
>
>
> regards, jw
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev at zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>   https://mail.zope.org/mailman/listinfo/zope-announce
>   https://mail.zope.org/mailman/listinfo/zope )
>

-- 
Best regards,
  Adam GROSZER
--
Quote of the day:
Man who falls in vat of molten optical glass makes spectacle of self.

More information about the Zope-Dev mailing list