[Zope] Zope & SSL & IE6 redirection bug
Jamie Heilman
jamie@audible.transient.net
Mon, 17 Feb 2003 18:41:12 -0800
> Should I just have leveraged Apache?
yes.
> On a final note, the latest IE6 on WinXP seems to have a bug in which a
> redirect causes the browser to generate a subsequent request in which the
> "Host:" header reflects the original, rather than new, hostname/port. This
> leads to incorrect operation of the absolute_url() method ... and all kinds
> of nastiness. Anyone also see this?
This is a perfect example of why ZServer should never be used by
itself. As recently discussed on the -dev list, the Host header is
tained information, any code which treats it as authoritative without
untainting is broken. ZServer blindly accepts anything you feed it.
Nor does it contextually escape it when reusing the host data in the
base href either. Fun.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we know the words
for it, before we know there are words, out we come bloodied and squalling
with the knowledge that for all the compasses in the world, there's only
one direction, and time is its only measure." -Rosencrantz