[PATCH] login: strip possible prefix from came_from if it's present
Mads Kiilerich
mads at kiilerich.com
Wed Sep 16 19:34:35 UTC 2015
On 09/16/2015 03:55 PM, Andrew Shadura wrote:
> # HG changeset patch
> # User Andrew Shadura <andrew at shadura.me>
> # Date 1442411574 -7200
> # Wed Sep 16 15:52:54 2015 +0200
> # Node ID 69ea9fc01a602f290b9e78b7cd057a899fa5ff37
> # Parent 889ff0f436c8b57f5962e204e699cbabc6d33aac
> login: strip possible prefix from came_from if it's present
>
> Also, reject came_from URL not belonging to our application.
It seems to be that the problem is that we put the absolute URL
(url.current()) in came_from; instead we should use PATH_INFO which is
relative to SCRIPT_NAME.
Alternatively, _redirect_to_origin should avoid using the url() function
that will prepend SCRIPT_NAME again ... but that seems less elegant...
/Mads
More information about the kallithea-general
mailing list