[Zope-dev] zope.pluggableauth and "camefrom" information in login form not an absolute URL

Jan-Jaap Driessen jdriessen at thehealthagency.com
Mon Feb 7 07:26:04 EST 2011


On 7 February 2011 12:29, Adam GROSZER <agroszer at gmail.com> wrote:
> Hello,
>
> On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
>>
>> On 2/7/11 12:04 PM, Adam GROSZER wrote:
>>> Hello,
>>>
>>> I'm not sure whether you open up a security hole there.
>>> Imagine that someone does a
>>> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
>>> We ended up with storing the camefrom URL in a session variable.
>>
>> The redirect method in the zope publisher checks whether the redirect is
>> "trusted" to go to a different host. The trusted arguments is "False" by
>> default. I think will catch this situation just fine. Or doesn't it?
>
> Well on the second look, it should.
> Then it might have been because Roger was just unsure about the
> zope.publisher version? He is on holiday this week...
> See r105125.
>
> Let's wait what the other say.
>
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev at zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope )
>

I can confirm that a redirect to an injected camefrom URL yields a ValueError:

Untrusted redirect to host 'www.example.com:80' not allowed.

-- 
Jan-Jaap Driessen


More information about the Zope-Dev mailing list