[PATCH] login: strip possible prefix from came_from if it's present
Andrew Shadura
andrew at shadura.me
Thu Sep 17 08:24:26 UTC 2015
On 16/09/15 21:34, Mads Kiilerich wrote:
>>
>> Also, reject came_from URL not belonging to our application.
>
> It seems to be that the problem is that we put the absolute URL
> (url.current()) in came_from; instead we should use PATH_INFO which is
> relative to SCRIPT_NAME.
Putting a bogus URL (which it honestly is) didn't seem a good idea to
me, that's why I decided to do it this way.
--
Cheers,
Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150917/49e55dd9/attachment.sig>
More information about the kallithea-general
mailing list