Hi Dan

I have an issue with the latest changes in

The redirect method in HTTPResponse http.py line: 880
forces a ValueError. Because the Apache HTTP_HOST
and the target_host to not compare.

def redirect(self, location, status=None, trusted=False):
    location = str(location)
    if not trusted:
        scheme, target_host, path, query, fragment = (
        if target_host and target_host != self._request.get('HTTP_HOST'):
            raise ValueError(
                "Untrusted redirect to host %r not allowed." % target_host)

Apache uses <DOMAIN> in HTTP_HOST like expected
and the method used with urlparse.urlsplit(location)
returns <DOMAIN:PORT> as target_host value.

I'm not sure if this is an issue or a bad Apache rewrite

As far as I see we should remove the PORT part from the
target_host value. right?

I'm not sure if remove the port info from the value
if this is contra productive for security. If so
what is the correct concept for make the Apache
rewrite work? I guess there is no way to support both.

btw, I'll run into this problem after a redirect during 
authentication login form to the cameform url. This
should be reproducable by any other apache (port) rewrite setup.

Roger Ineichen
Projekt01 GmbH
Boesch 65
6331 H├╝nenberg
phone     +41 (0)41 781 01 78
mobile    +41 (0)79 340 52 32
fax       +41 (0)41 781 00 78
email roger.ineic...@projekt01.ch

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to