Commit 35cd7149 authored by Tres Seaver's avatar Tres Seaver

Prevent arbitrary redirections via faked "CANCEL" buttons.

Fixes LP #1094144.
parent 2bd0564c
...@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/ ...@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
2.13.21 (unreleased) 2.13.21 (unreleased)
-------------------- --------------------
- LP #1094144: prevent arbitrary redirections via faked "CANCEL" buttons.
- LP #1094221: add permissions to some unprotected methods of - LP #1094221: add permissions to some unprotected methods of
``OFS.ObjectManager``. ``OFS.ObjectManager``.
......
...@@ -12,9 +12,11 @@ ...@@ -12,9 +12,11 @@
############################################################################## ##############################################################################
"""Python Object Publisher -- Publish Python objects on web servers """Python Object Publisher -- Publish Python objects on web servers
""" """
import os
import sys, os import sys
import transaction import transaction
from urlparse import urlparse
from Response import Response from Response import Response
from Request import Request from Request import Request
from maybe_lock import allocate_lock from maybe_lock import allocate_lock
...@@ -89,8 +91,18 @@ def publish(request, module_name, after_list, debug=0, ...@@ -89,8 +91,18 @@ def publish(request, module_name, after_list, debug=0,
response=request.response response=request.response
# First check for "cancel" redirect: # First check for "cancel" redirect:
if request_get('SUBMIT','').strip().lower()=='cancel': if request_get('SUBMIT', '').strip().lower() == 'cancel':
cancel=request_get('CANCEL_ACTION','') cancel = request_get('CANCEL_ACTION', '')
if cancel:
# Relative URLs aren't part of the spec, but are accepted by
# some browsers.
for part, base in zip(urlparse(cancel)[:3],
urlparse(request['BASE1'])[:3]):
if not part:
continue
if not part.startswith(base):
cancel = ''
break
if cancel: if cancel:
raise Redirect, cancel raise Redirect, cancel
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment