On 09/16/2015 03:55 PM, Andrew Shadura wrote:
# HG changeset patch
# User Andrew Shadura <[email protected]>
# Date 1442411574 -7200
#      Wed Sep 16 15:52:54 2015 +0200
# Node ID 69ea9fc01a602f290b9e78b7cd057a899fa5ff37
# Parent  889ff0f436c8b57f5962e204e699cbabc6d33aac
login: strip possible prefix from came_from if it's present

Also, reject came_from URL not belonging to our application.

It seems to be that the problem is that we put the absolute URL (url.current()) in came_from; instead we should use PATH_INFO which is relative to SCRIPT_NAME.

Alternatively, _redirect_to_origin should avoid using the url() function that will prepend SCRIPT_NAME again ... but that seems less elegant...

/Mads

_______________________________________________
kallithea-general mailing list
[email protected]
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general

Reply via email to