On 7 February 2011 12:29, Adam GROSZER <agros...@gmail.com> wrote:
> On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
>> On 2/7/11 12:04 PM, Adam GROSZER wrote:
>>> I'm not sure whether you open up a security hole there.
>>> Imagine that someone does a
>>> We ended up with storing the camefrom URL in a session variable.
>> The redirect method in the zope publisher checks whether the redirect is
>> "trusted" to go to a different host. The trusted arguments is "False" by
>> default. I think will catch this situation just fine. Or doesn't it?
> Well on the second look, it should.
> Then it might have been because Roger was just unsure about the
> zope.publisher version? He is on holiday this week...
> See r105125.
> Let's wait what the other say.
> Zope-Dev maillist - Zope-Dev@zope.org
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope )
I can confirm that a redirect to an injected camefrom URL yields a ValueError:
Untrusted redirect to host 'www.example.com:80' not allowed.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -