[PATCH] login: strip possible prefix from came_from if it's present

Andrew Shadura andrew at shadura.me
Thu Sep 17 08:24:26 UTC 2015


On 16/09/15 21:34, Mads Kiilerich wrote:
>>
>> Also, reject came_from URL not belonging to our application.
> 
> It seems to be that the problem is that we put the absolute URL
> (url.current()) in came_from; instead we should use PATH_INFO which is
> relative to SCRIPT_NAME.

Putting a bogus URL (which it honestly is) didn't seem a good idea to
me, that's why I decided to do it this way.

-- 
Cheers,
  Andrew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150917/49e55dd9/attachment.sig>


More information about the kallithea-general mailing list