[Zope-dev] zope.pluggableauth and "camefrom" information in login form not an absolute URL
Jan-Wijbrand Kolman
janwijbrand at gmail.com
Tue Feb 8 03:59:59 EST 2011
On 2/7/11 18:03 PM, Roger wrote:
> why not use the same pattern like I changed to in z3c.authenticator.
> There the camefrom request part was replaced by session handling.
>
> On the other side, I think your changes are fine since, I guess
> someone from gocept, a long time ago, fixed and protected the
> redirect method.
Ok, thanks for your feedback!
I applied the patch, added a test just to show a redirect to a
suspicious URL will by default not work and released zope.pluggableauth 1.3
regards, jw
More information about the Zope-Dev
mailing list