Message6013
Hello, John.
> What is your use case where this must be a relative url?
Just something like
<input type="hidden" name="__redirect_to" value="issue">
I think this variant has a much better readability. Also I see
no reason to constraint URL to be absolute inside tracker's html.
Am I wrong?
> That's correct and intentional. The __redirect_to (and _came_from)
> parameter is accessible to the user or to any nasty malware in the
> browser.
>>From the comment right above that block:
> To try to prevent XSS attacks, validate that the url that is
> passed in is under self.base for the tracker. This is used to
> clean up "__came_from" and "__redirect_to" form variables used
> by the LoginAction and NewItemAction actions.
I think the relative url that is passed in is under self.base by
definition. Is it true?
As you see in patch I pass URL base checking only in case when it is a
relative URL. |
|
Date |
User |
Action |
Args |
2017-09-12 09:19:42 | antmail | set | recipients:
+ antmail, rouilj |
2017-09-12 09:19:42 | antmail | link | issue2550951 messages |
2017-09-12 09:19:41 | antmail | create | |
|