On Friday, September 16, 2011 3:00:59 PM UTC-4, Jonathan Lundell wrote: > > On Friday, September 16, 2011 2:21:07 PM UTC-4, Jonathan Lundell wrote: > > > Sometimes I think the need for auto_redirect is paranoid. >> >> What's the hazard? Presumably there's nothing to stop the user from going >> to the same URL after a successful login, so why not automatically? >> > This: https://groups.google.com/d/topic/web2py/dU7018Acz9s/discussion > > > But the auto_redirect list doesn't protect against that. > > As I read the code, auto-redirect after login (in the sense of going back > to the target URL) a) only uses the output of URL(), with no domain (so no > phishing), and b) stores its redirection in session. > > I didn't look too closely at the _next= logic, but it doesn't appear to > care about the auto_redirect list. If those URLs need to be checked, > wouldn't it be adequate to require that they're relative URLs (in the sense > of not including a domain)? >
Right, I thought you were asking about the general need to restrict what is allowed in _next. I'm also confused about auto_redirect -- looks like it is still limited to URLs internal to the app, which should be handled adequately by the new _next logic that allows only relative URLs. Anthony
