On Sep 16, 2011, at 1:56 PM, Massimo Di Pierro <[email protected]> wrote:
> It is not handle adequately if the app uses an external > authentication. perhaps there is a better solution... let me think > about this some more. > > Basically the issue is this code in web2py/gluon/tools.py > > if auto_redirect and URL() in auto_redirect: > if not self.user: > if not session._auth_next: > session._auth_next = URL(args=request.args, > vars=request.get_vars) > if auto_redirect and not URL() in auto_redirect and \ > self.user and session._auth_next: > next = session._auth_next > session._auth_next = None > redirect(next) > > > > should it just be? > > if not self.user: > if not session._auth_next: > session._auth_next = URL(args=request.args, > vars=request.get_vars) > if self.user and session._auth_next and not self.user and > session._auth_next.startswith(URL()): > next = session._auth_next > session._auth_next = None > redirect(next) > > and get rid of auto_redirect? I think so. You've got a contradictory self.user test there, though. Is the startswith test needed? Right? If we're already at that URL, why redirect? > > > > On Sep 16, 3:27 pm, Anthony <[email protected]> wrote: >> On Friday, September 16, 2011 3:00:59 PM UTC-4, Jonathan Lundell wrote: >> >>> On Friday, September 16, 2011 2:21:07 PM UTC-4, Jonathan Lundell wrote: >> >>>> Sometimes I think the need for auto_redirect is paranoid. >> >>>> What's the hazard? Presumably there's nothing to stop the user from going >>>> to the same URL after a successful login, so why not automatically? >> >>> This:https://groups.google.com/d/topic/web2py/dU7018Acz9s/discussion >> >>> But the auto_redirect list doesn't protect against that. >> >>> As I read the code, auto-redirect after login (in the sense of going back >>> to the target URL) a) only uses the output of URL(), with no domain (so no >>> phishing), and b) stores its redirection in session. >> >>> I didn't look too closely at the _next= logic, but it doesn't appear to >>> care about the auto_redirect list. If those URLs need to be checked, >>> wouldn't it be adequate to require that they're relative URLs (in the sense >>> of not including a domain)? >> >> Right, I thought you were asking about the general need to restrict what is >> allowed in _next. I'm also confused about auto_redirect -- looks like it is >> still limited to URLs internal to the app, which should be handled >> adequately by the new _next logic that allows only relative URLs. >> >> Anthony
