[Zope-dev] zope.pluggableauth and "camefrom" information in login form not an absolute URL

Adam GROSZER agroszer at gmail.com
Mon Feb 7 06:29:05 EST 2011


Hello,

On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
>
> On 2/7/11 12:04 PM, Adam GROSZER wrote:
>> Hello,
>>
>> I'm not sure whether you open up a security hole there.
>> Imagine that someone does a
>> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
>> We ended up with storing the camefrom URL in a session variable.
>
> The redirect method in the zope publisher checks whether the redirect is
> "trusted" to go to a different host. The trusted arguments is "False" by
> default. I think will catch this situation just fine. Or doesn't it?

Well on the second look, it should.
Then it might have been because Roger was just unsure about the 
zope.publisher version? He is on holiday this week...
See r105125.

Let's wait what the other say.




More information about the Zope-Dev mailing list