On Friday, September 16, 2011 12:57:07 PM UTC-4, Massimo Di Pierro wrote: > > This is in general a security hazard so it needs to be enabled: > > auth = Auth(db,auto_redirect=[URL(...),URL(...)]) > > where URL(...) are the urls where it is safe to redirect to after > login if originally requested. trunk only. >
Even without auto_redirect, isn't the original _next functionality still in place? This change (http://code.google.com/p/web2py/source/detail?r=ae2afc33d6d6afe7de9a2700206d787b00ac1da8) improved the security by ensuring _next can only include relative URLs -- isn't that sufficient to plug the security hole? How does auto_redirect interact with the standard _next functionality? Anthony
