Re: [Zope-dev] Apache rewrite - HTTP_Host redirect issue
On 2009-9-16 01:15, Roger Ineichen wrote: Hi Dan I have an issue with the latest changes in zope.publisher.http.py The redirect method in HTTPResponse http.py line: 880 forces a ValueError. Because the Apache HTTP_HOST and the target_host to not compare. def redirect(self, location, status=None, trusted=False): location = str(location) if not trusted: scheme, target_host, path, query, fragment = ( urlparse.urlsplit(location)) if target_host and target_host != self._request.get('HTTP_HOST'): raise ValueError( Untrusted redirect to host %r not allowed. % target_host) Apache usesDOMAIN in HTTP_HOST like expected and the method used with urlparse.urlsplit(location) returnsDOMAIN:PORT as target_host value. I suspect Apache does use DOMAIN:PORT if the port is a non-standard port, ie http over anything other than port 80 or https over something other than port 443. Wichert. -- Wichert Akkerman wich...@wiggy.net It is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Apache rewrite - HTTP_Host redirect issue
Hi Dan I have an issue with the latest changes in zope.publisher.http.py The redirect method in HTTPResponse http.py line: 880 forces a ValueError. Because the Apache HTTP_HOST and the target_host to not compare. def redirect(self, location, status=None, trusted=False): location = str(location) if not trusted: scheme, target_host, path, query, fragment = ( urlparse.urlsplit(location)) if target_host and target_host != self._request.get('HTTP_HOST'): raise ValueError( Untrusted redirect to host %r not allowed. % target_host) Apache uses DOMAIN in HTTP_HOST like expected and the method used with urlparse.urlsplit(location) returns DOMAIN:PORT as target_host value. I'm not sure if this is an issue or a bad Apache rewrite configuration. As far as I see we should remove the PORT part from the target_host value. right? I'm not sure if remove the port info from the value if this is contra productive for security. If so what is the correct concept for make the Apache rewrite work? I guess there is no way to support both. btw, I'll run into this problem after a redirect during authentication login form to the cameform url. This should be reproducable by any other apache (port) rewrite setup. Regards Roger Ineichen _ Projekt01 GmbH www.projekt01.ch Boesch 65 6331 Hünenberg phone +41 (0)41 781 01 78 mobile+41 (0)79 340 52 32 fax +41 (0)41 781 00 78 email roger.ineic...@projekt01.ch _ END OF MESSAGE ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )