site trust abuse with default web2py
setting?
I think this can to be default (security matters), but needs to be configurable.
def avoid_external_next():
if request.controller=='default' and request.function=='user':
if request.vars._next and request.vars._next.startswith('http
I think this can to be default (security matters), but needs to be
configurable.
def avoid_external_next():
if request.controller=='default' and request.function=='user':
if request.vars._next and request.vars._next.startswith('http'):
del request.vars._next
at the models
No it will break other stuff too , which already use redirection inplace.
Just Let developer know that doing so will cause minor trust issue , and
there is way to prevent it.
On Wed, Nov 24, 2010 at 1:40 AM, mdipierro mdipie...@cs.depaul.edu wrote:
checked the code and I do not see any
3 matches
Mail list logo