Roundup Tracker - Issues


Author rouilj
Recipients antmail, rouilj
Date 2017-09-11.23:50:23
Message-id <20170911235010.51DB94C0A10@itserver6.localdomain>
In-reply-to <>
Hi Anthony:

In message <>,
Anthony writes:
>I found that I can't set value of "__redirect_to" to the relative url.

That's correct and intentional. The __redirect_to (and _came_from)
parameter is accessible to the user or to any nasty malware in the

>Recently introduced examine_url() function will raise an error in such
>case because it expect only an absolute url.

From the comment right above that block:

       To try to prevent XSS attacks, validate that the url that is
       passed in is under self.base for the tracker. This is used to
       clean up "__came_from" and "__redirect_to" form variables used
       by the LoginAction and NewItemAction actions.

I assume the URL is generated by accessing the base url in the tracker
config and using that to generate an absolute url. For example:

    tal:attributes="value string:${request/base}${request/env/PATH_INFO}?${request/env/QUERY_STRING}"

What is your use case where this must be a relative url?
Date User Action Args
2017-09-11 23:50:24rouiljsetrecipients: + rouilj, antmail
2017-09-11 23:50:24rouiljlinkissue2550951 messages
2017-09-11 23:50:23rouiljcreate