On 7 February 2011 12:29, Adam GROSZER <agros...@gmail.com> wrote: > Hello, > > On Mon, 07 Feb 2011 12:15:40 +0100 you wrote: >> >> On 2/7/11 12:04 PM, Adam GROSZER wrote: >>> Hello, >>> >>> I'm not sure whether you open up a security hole there. >>> Imagine that someone does a >>> http://yoursite.com/@@loginform.html?camefrom=http://mysite.com >>> We ended up with storing the camefrom URL in a session variable. >> >> The redirect method in the zope publisher checks whether the redirect is >> "trusted" to go to a different host. The trusted arguments is "False" by >> default. I think will catch this situation just fine. Or doesn't it? > > Well on the second look, it should. > Then it might have been because Roger was just unsure about the > zope.publisher version? He is on holiday this week... > See r105125. > > Let's wait what the other say. > > > _______________________________________________ > Zope-Dev maillist - Zope-Dev@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) >
I can confirm that a redirect to an injected camefrom URL yields a ValueError: Untrusted redirect to host 'www.example.com:80' not allowed. -- Jan-Jaap Driessen _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )