Hi all 
 
> information in login form not an absolute URL
> 
> Hello,
> 
> On Mon, 07 Feb 2011 12:15:40 +0100 you wrote:
> >
> > On 2/7/11 12:04 PM, Adam GROSZER wrote:
> >> Hello,
> >>
> >> I'm not sure whether you open up a security hole there.
> >> Imagine that someone does a
> >> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com
> >> We ended up with storing the camefrom URL in a session variable.
> >
> > The redirect method in the zope publisher checks whether 
> the redirect 
> > is "trusted" to go to a different host. The trusted arguments is 
> > "False" by default. I think will catch this situation just 
> fine. Or doesn't it?
> 
> Well on the second look, it should.
> Then it might have been because Roger was just unsure about 
> the zope.publisher version? He is on holiday this week...
> See r105125.

Adam,
I have nothing to do with zope.pluggableauth. You probably 
mean z3c.authenticator and friends.

Jan,
why not use the same pattern like I changed to in z3c.authenticator.
There the camefrom request part was replaced by session handling.

On the other side, I think your changes are fine since, I guess
someone from gocept, a long time ago, fixed and protected the
redirect method.

btw,
there was also a proposal about improvments on old zope3 website.
I don't konw if this proposals are still there and accessible. 

Regards
Roger Ineichen

> Let's wait what the other say.
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  ** (Related lists -  
> https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope )
> 

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to