[Zope-dev] zope.pluggableauth and "camefrom" information in login form not an absolute URL
Jan-Wijbrand Kolman
janwijbrand at gmail.com
Mon Feb 7 06:15:40 EST 2011
On 2/7/11 12:04 PM, Adam GROSZER wrote:
> Hello,
>
> I'm not sure whether you open up a security hole there.
> Imagine that someone does a
> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
> We ended up with storing the camefrom URL in a session variable.
The redirect method in the zope publisher checks whether the redirect is
"trusted" to go to a different host. The trusted arguments is "False" by
default. I think will catch this situation just fine. Or doesn't it?
regards, jw
More information about the Zope-Dev
mailing list