I did not notice that feature -1
. adds complexity in API and code . not a security feature IMHO it is more dangerous than nothing mic 2011/9/16 Jonathan Lundell <[email protected]>: > On Sep 16, 2011, at 11:35 AM, Anthony wrote: > > On Friday, September 16, 2011 2:21:07 PM UTC-4, Jonathan Lundell wrote: >> >> > Sometimes I think the need for auto_redirect is paranoid. >> >> What's the hazard? Presumably there's nothing to stop the user from going >> to the same URL after a successful login, so why not automatically? > > This: https://groups.google.com/d/topic/web2py/dU7018Acz9s/discussion > > But the auto_redirect list doesn't protect against that. > As I read the code, auto-redirect after login (in the sense of going back to > the target URL) a) only uses the output of URL(), with no domain (so no > phishing), and b) stores its redirection in session. > I didn't look too closely at the _next= logic, but it doesn't appear to care > about the auto_redirect list. If those URLs need to be checked, wouldn't it > be adequate to require that they're relative URLs (in the sense of not > including a domain)?
