On Sep 16, 2011, at 11:35 AM, Anthony wrote: > On Friday, September 16, 2011 2:21:07 PM UTC-4, Jonathan Lundell wrote: > > Sometimes I think the need for auto_redirect is paranoid. > > What's the hazard? Presumably there's nothing to stop the user from going to > the same URL after a successful login, so why not automatically? > > This: https://groups.google.com/d/topic/web2py/dU7018Acz9s/discussion
But the auto_redirect list doesn't protect against that. As I read the code, auto-redirect after login (in the sense of going back to the target URL) a) only uses the output of URL(), with no domain (so no phishing), and b) stores its redirection in session. I didn't look too closely at the _next= logic, but it doesn't appear to care about the auto_redirect list. If those URLs need to be checked, wouldn't it be adequate to require that they're relative URLs (in the sense of not including a domain)?
