Roundup Tracker - Issues

Message6013

Author antmail
Recipients antmail, rouilj
Date 2017-09-12.09:19:41
Message-id <225309719.20170912121932@inbox.ru>
In-reply-to <20170911235010.51DB94C0A10@itserver6.localdomain>
Hello, John.

> What is your use case where this must be a relative url?

Just something like
<input type="hidden" name="__redirect_to" value="issue">

 I   think   this  variant  has  a much better readability. Also I see
no reason to constraint URL to be absolute inside tracker's html.
Am I wrong?

> That's correct and intentional. The __redirect_to (and _came_from)
> parameter is accessible to the user or to any nasty malware in the
> browser.
>>From the comment right above that block:
>        To try to prevent XSS attacks, validate that the url that is
>        passed in is under self.base for the tracker. This is used to
>        clean up "__came_from" and "__redirect_to" form variables used
>        by the LoginAction and NewItemAction actions.

I  think  the  relative  url  that  is passed in is under self.base by
definition. Is it true?

As you see in patch I pass URL base checking only in case when it is a
relative URL.
History
Date User Action Args
2017-09-12 09:19:42antmailsetrecipients: + antmail, rouilj
2017-09-12 09:19:42antmaillinkissue2550951 messages
2017-09-12 09:19:41antmailcreate