Hello,

On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
>
> On 2/7/11 12:04 PM, Adam GROSZER wrote:
>> Hello,
>>
>> I'm not sure whether you open up a security hole there.
>> Imagine that someone does a
>> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
>> We ended up with storing the camefrom URL in a session variable.
>
> The redirect method in the zope publisher checks whether the redirect is
> "trusted" to go to a different host. The trusted arguments is "False" by
> default. I think will catch this situation just fine. Or doesn't it?

Well on the second look, it should.
Then it might have been because Roger was just unsure about the 
zope.publisher version? He is on holiday this week...
See r105125.

Let's wait what the other say.


_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to