[Zope-dev] zope.pluggableauth and "camefrom" information in login form not an absolute URL
Roger
dev at projekt01.ch
Mon Feb 7 12:03:28 EST 2011
Hi all
> information in login form not an absolute URL
>
> Hello,
>
> On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
> >
> > On 2/7/11 12:04 PM, Adam GROSZER wrote:
> >> Hello,
> >>
> >> I'm not sure whether you open up a security hole there.
> >> Imagine that someone does a
> >> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
> >> We ended up with storing the camefrom URL in a session variable.
> >
> > The redirect method in the zope publisher checks whether
> the redirect
> > is "trusted" to go to a different host. The trusted arguments is
> > "False" by default. I think will catch this situation just
> fine. Or doesn't it?
>
> Well on the second look, it should.
> Then it might have been because Roger was just unsure about
> the zope.publisher version? He is on holiday this week...
> See r105125.
Adam,
I have nothing to do with zope.pluggableauth. You probably
mean z3c.authenticator and friends.
Jan,
why not use the same pattern like I changed to in z3c.authenticator.
There the camefrom request part was replaced by session handling.
On the other side, I think your changes are fine since, I guess
someone from gocept, a long time ago, fixed and protected the
redirect method.
btw,
there was also a proposal about improvments on old zope3 website.
I don't konw if this proposals are still there and accessible.
Regards
Roger Ineichen
> Let's wait what the other say.
>
>
> _______________________________________________
> Zope-Dev maillist - Zope-Dev at zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope )
>
More information about the Zope-Dev
mailing list