> information in login form not an absolute URL
> On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
> > On 2/7/11 12:04 PM, Adam GROSZER wrote:
> >> Hello,
> >> I'm not sure whether you open up a security hole there.
> >> Imagine that someone does a
> >> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
> >> We ended up with storing the camefrom URL in a session variable.
> > The redirect method in the zope publisher checks whether
> the redirect
> > is "trusted" to go to a different host. The trusted arguments is
> > "False" by default. I think will catch this situation just
> fine. Or doesn't it?
> Well on the second look, it should.
> Then it might have been because Roger was just unsure about
> the zope.publisher version? He is on holiday this week...
> See r105125.
I have nothing to do with zope.pluggableauth. You probably
mean z3c.authenticator and friends.
why not use the same pattern like I changed to in z3c.authenticator.
There the camefrom request part was replaced by session handling.
On the other side, I think your changes are fine since, I guess
someone from gocept, a long time ago, fixed and protected the
there was also a proposal about improvments on old zope3 website.
I don't konw if this proposals are still there and accessible.
> Let's wait what the other say.
> Zope-Dev maillist - Zope-Dev@zope.org
> ** No cross posts or HTML encoding! ** (Related lists -
> https://mail.zope.org/mailman/listinfo/zope )
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -