[Checkins] SVN: zope.pluggableauth/branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py As the camefrom information is most probably used for a redirect, require it to be an absolute URL .

Jan-Jaap Driessen jdriessen at thehealthagency.com
Mon Feb 7 04:40:15 EST 2011 

Log message for revision 120175:
  As the camefrom information is most probably used for a redirect, require it to be an absolute URL .

Changed:
  U   zope.pluggableauth/branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py

-=-
Modified: zope.pluggableauth/branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py
===================================================================
--- zope.pluggableauth/branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py	2011-02-07 09:31:56 UTC (rev 120174)
+++ zope.pluggableauth/branches/janjaapdriessen-camefrom-fix/src/zope/pluggableauth/plugins/session.py	2011-02-07 09:40:15 UTC (rev 120175)
@@ -261,7 +261,7 @@
           >>> request.response.getStatus()
           302
           >>> request.response.getHeader('location')
-          'http://127.0.0.1/@@loginForm.html?camefrom=%2F'
+          'http://127.0.0.1/@@loginForm.html?camefrom=http%3A%2F%2F127.0.0.1'
 
         The plugin redirects to the page defined by the loginpagename
         attribute:
@@ -270,7 +270,7 @@
           >>> plugin.challenge(request)
           True
           >>> request.response.getHeader('location')
-          'http://127.0.0.1/@@mylogin.html?camefrom=%2F'
+          'http://127.0.0.1/@@mylogin.html?camefrom=http%3A%2F%2F127.0.0.1'
 
         It also provides the request URL as a 'camefrom' GET style parameter.
         To illustrate, we'll pretend we've traversed a couple names:
@@ -293,7 +293,7 @@
         We see the 'camefrom' points to the requested URL:
 
           >>> request.response.getHeader('location') # doctest: +ELLIPSIS
-          '.../@@mylogin.html?camefrom=%2Ffoo%2Fbar%2Ffolder%2Fpage+1.html%3Fq%3Dvalue'
+          'http://127.0.0.1/@@mylogin.html?camefrom=http%3A%2F%2F127.0.0.1%2Ffoo%2Fbar%2Ffolder%2Fpage+1.html%3Fq%3Dvalue'
 
         This can be used by the login form to redirect the user back to the
         originating URL upon successful authentication.
@@ -308,7 +308,7 @@
         # Better to add the query string, if present
         query = request.get('QUERY_STRING')
 
-        camefrom = '/'.join([request.getURL(path_only=True)] + stack)
+        camefrom = '/'.join([request.getURL()] + stack)
         if query:
             camefrom = camefrom + '?' + query
         url = '%s/@@%s?%s' % (absoluteURL(site, request),

More information about the checkins mailing list