date:20110207

[Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

2011-02-07 Thread Jan-Wijbrand Kolman

Hi,

The SessionCredentialsPlugin will redirect to a login form whenever a 
user needs to be authenticated. The URL to this login form will have a 
camefrom query string, where the camefrom is the path-information to 
the originally requested view.

When the credentials provided by the user are correct, the login form 
will use the camefrom information to redirect back to that original view.

Ideally (a.k.a. according to the HTTP spec.), the camefrom should be an 
absolute URL, not just a path like the SessionCredentialsPlugin now does.

I'd like to fix and release zope.pluggableauth with the following patch 
applied - unless of course there's compelling reasons not to do this:

--- trunk/src/zope/pluggableauth/plugins/session.py 2011-02-07 
10:33:25.643791415 +0100
+++ 
branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py 
2011-02-07 10:40:12.301790203 +0100
@@ -308,7 +308,7 @@
  # Better to add the query string, if present
  query = request.get('QUERY_STRING')

-camefrom = '/'.join([request.getURL(path_only=True)] + stack)
+camefrom = '/'.join([request.getURL()] + stack)
  if query:
  camefrom = camefrom + '?' + query
  url = '%s/@@%s?%s' % (absoluteURL(site, request),


regards, jw

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

2011-02-07 Thread Adam GROSZER

Hello,

I'm not sure whether you open up a security hole there.
Imagine that someone does a
http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
We ended up with storing the camefrom URL in a session variable.

On Mon, 07 Feb 2011 10:42:33 +0100 you wrote:

 Hi,

 The SessionCredentialsPlugin will redirect to a login form whenever a
 user needs to be authenticated. The URL to this login form will have a
 camefrom query string, where the camefrom is the path-information to
 the originally requested view.

 When the credentials provided by the user are correct, the login form
 will use the camefrom information to redirect back to that original view.

 Ideally (a.k.a. according to the HTTP spec.), the camefrom should be an
 absolute URL, not just a path like the SessionCredentialsPlugin now does.

 I'd like to fix and release zope.pluggableauth with the following patch
 applied - unless of course there's compelling reasons not to do this:

 --- trunk/src/zope/pluggableauth/plugins/session.py   2011-02-07
 10:33:25.643791415 +0100
 +++
 branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py
 2011-02-07 10:40:12.301790203 +0100
 @@ -308,7 +308,7 @@
# Better to add the query string, if present
query = request.get('QUERY_STRING')

 -camefrom = '/'.join([request.getURL(path_only=True)] + stack)
 +camefrom = '/'.join([request.getURL()] + stack)
if query:
camefrom = camefrom + '?' + query
url = '%s/@@%s?%s' % (absoluteURL(site, request),


 regards, jw

 ___
 Zope-Dev maillist  -  Zope-Dev@zope.org
 https://mail.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists -
   https://mail.zope.org/mailman/listinfo/zope-announce
   https://mail.zope.org/mailman/listinfo/zope )


-- 
Best regards,
  Adam GROSZER
--
Quote of the day:
Man who falls in vat of molten optical glass makes spectacle of self.
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

2011-02-07 Thread Jan-Wijbrand Kolman

On 2/7/11 12:04 PM, Adam GROSZER wrote:
 Hello,

 I'm not sure whether you open up a security hole there.
 Imagine that someone does a
 http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
 We ended up with storing the camefrom URL in a session variable.

The redirect method in the zope publisher checks whether the redirect is 
trusted to go to a different host. The trusted arguments is False by 
default. I think will catch this situation just fine. Or doesn't it?

regards, jw

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

2011-02-07 Thread Adam GROSZER

Hello,

On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:

 On 2/7/11 12:04 PM, Adam GROSZER wrote:
 Hello,

 I'm not sure whether you open up a security hole there.
 Imagine that someone does a
 http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
 We ended up with storing the camefrom URL in a session variable.

 The redirect method in the zope publisher checks whether the redirect is
 trusted to go to a different host. The trusted arguments is False by
 default. I think will catch this situation just fine. Or doesn't it?

Well on the second look, it should.
Then it might have been because Roger was just unsure about the 
zope.publisher version? He is on holiday this week...
See r105125.

Let's wait what the other say.


___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Zope Tests: 112 OK, 23 Failed

2011-02-07 Thread Zope Tests Summarizer

Summary of messages to the zope-tests list.
Period Sun Feb  6 12:00:00 2011 UTC to Mon Feb  7 12:00:00 2011 UTC.
There were 135 messages: 8 from Zope Tests, 4 from buildbot at pov.lt, 31 from 
buildbot at winbot.zope.org, 11 from ccomb at free.fr, 81 from jdriessen at 
thehealthagency.com.


Test failures
-

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.6 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 09:04:08 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031143.html

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.7 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 09:05:46 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031146.html

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.7 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 10:03:52 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031154.html

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.6 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 10:05:10 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031157.html

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.6 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 13:59:54 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031172.html

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.7 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 14:01:13 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031174.html

Subject: FAILED : Zope Buildbot / zopetoolkit-1.1_win-py2.6 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 14:57:52 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031187.html

Subject: FAILED : Zope Buildbot / zopetoolkit_win-py2.6 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 15:13:14 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031189.html

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.6 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 15:14:36 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031190.html

Subject: FAILED : Zope Buildbot / zope2.13_win-py2.7 slave-win
From: jdriessen at thehealthagency.com
Date: Sun Feb  6 15:15:58 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031191.html

Subject: FAILED : winbot / ztk_10 py_244_win32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 16:02:33 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031197.html

Subject: FAILED : winbot / z3c.form_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 22:23:54 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031254.html

Subject: FAILED : winbot / z3c.rml_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 22:49:25 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031256.html

Subject: FAILED : winbot / z3c.template_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 22:57:59 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031257.html

Subject: FAILED : winbot / z3c.layer.ready2go_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:03:08 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031259.html

Subject: FAILED : winbot / z3c.formui_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:04:28 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031260.html

Subject: FAILED : winbot / z3c.tabular_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:13:36 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031261.html

Subject: FAILED : winbot / z3c.contents_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:14:32 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031262.html

Subject: FAILED : winbot / z3c.ptcompat_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:32:09 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031263.html

Subject: FAILED : winbot / z3c.pdftemplate_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:36:08 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031264.html

Subject: FAILED : winbot / z3c.coverage_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:37:32 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031265.html

Subject: FAILED : winbot / z3c.macro_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:38:20 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031266.html

Subject: FAILED : winbot / z3c.pagelet_py_265_32
From: buildbot at winbot.zope.org
Date: Sun Feb  6 23:43:15 EST 2011
URL: http://mail.zope.org/pipermail/zope-tests/2011-February/031267.html


Tests passed OK
---

Subject: OK : Zope

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

2011-02-07 Thread Jan-Jaap Driessen

On 7 February 2011 12:29, Adam GROSZER agros...@gmail.com wrote:
 Hello,

 On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:

 On 2/7/11 12:04 PM, Adam GROSZER wrote:
 Hello,

 I'm not sure whether you open up a security hole there.
 Imagine that someone does a
 http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
 We ended up with storing the camefrom URL in a session variable.

 The redirect method in the zope publisher checks whether the redirect is
 trusted to go to a different host. The trusted arguments is False by
 default. I think will catch this situation just fine. Or doesn't it?

 Well on the second look, it should.
 Then it might have been because Roger was just unsure about the
 zope.publisher version? He is on holiday this week...
 See r105125.

 Let's wait what the other say.


 ___
 Zope-Dev maillist  -  Zope-Dev@zope.org
 https://mail.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists -
  https://mail.zope.org/mailman/listinfo/zope-announce
  https://mail.zope.org/mailman/listinfo/zope )


I can confirm that a redirect to an injected camefrom URL yields a ValueError:

Untrusted redirect to host 'www.example.com:80' not allowed.

-- 
Jan-Jaap Driessen
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

2011-02-07 Thread Roger

Hi all 
 
 information in login form not an absolute URL
 
 Hello,
 
 On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
 
  On 2/7/11 12:04 PM, Adam GROSZER wrote:
  Hello,
 
  I'm not sure whether you open up a security hole there.
  Imagine that someone does a
  http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
  We ended up with storing the camefrom URL in a session variable.
 
  The redirect method in the zope publisher checks whether 
 the redirect 
  is trusted to go to a different host. The trusted arguments is 
  False by default. I think will catch this situation just 
 fine. Or doesn't it?
 
 Well on the second look, it should.
 Then it might have been because Roger was just unsure about 
 the zope.publisher version? He is on holiday this week...
 See r105125.

Adam,
I have nothing to do with zope.pluggableauth. You probably 
mean z3c.authenticator and friends.

Jan,
why not use the same pattern like I changed to in z3c.authenticator.
There the camefrom request part was replaced by session handling.

On the other side, I think your changes are fine since, I guess
someone from gocept, a long time ago, fixed and protected the
redirect method.

btw,
there was also a proposal about improvments on old zope3 website.
I don't konw if this proposals are still there and accessible. 

Regards
Roger Ineichen

 Let's wait what the other say.
 
 
 ___
 Zope-Dev maillist  -  Zope-Dev@zope.org
 https://mail.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  ** (Related lists -  
 https://mail.zope.org/mailman/listinfo/zope-announce
  https://mail.zope.org/mailman/listinfo/zope )
 

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Time for a z3c.blobfile release

2011-02-07 Thread Laurence Rowe

There have been a couple of fixes to z3c.blobfile. Would one of the
package owners (uoestermeier, nadako) be able to make a new release to
pypi?

Thanks!

Laurence
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

[Zope-dev] Zope Tests: 112 OK, 23 Failed

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

Re: [Zope-dev] zope.pluggableauth and camefrom information in login form not an absolute URL

[Zope-dev] Time for a z3c.blobfile release

8 matches

Site Navigation

Mail list logo

Footer information