On 2/7/11 12:04 PM, Adam GROSZER wrote:
> Hello,
> I'm not sure whether you open up a security hole there.
> Imagine that someone does a
> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
> We ended up with storing the camefrom URL in a session variable.

The redirect method in the zope publisher checks whether the redirect is 
"trusted" to go to a different host. The trusted arguments is "False" by 
default. I think will catch this situation just fine. Or doesn't it?

regards, jw

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to