Commit 35cd7149 authored by Tres Seaver's avatar Tres Seaver

Prevent arbitrary redirections via faked "CANCEL" buttons.

Fixes LP #1094144.
parent 2bd0564c
......@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
2.13.21 (unreleased)
--------------------
- LP #1094144: prevent arbitrary redirections via faked "CANCEL" buttons.
- LP #1094221: add permissions to some unprotected methods of
``OFS.ObjectManager``.
......
......@@ -12,9 +12,11 @@
##############################################################################
"""Python Object Publisher -- Publish Python objects on web servers
"""
import sys, os
import os
import sys
import transaction
from urlparse import urlparse
from Response import Response
from Request import Request
from maybe_lock import allocate_lock
......@@ -89,8 +91,18 @@ def publish(request, module_name, after_list, debug=0,
response=request.response
# First check for "cancel" redirect:
if request_get('SUBMIT','').strip().lower()=='cancel':
cancel=request_get('CANCEL_ACTION','')
if request_get('SUBMIT', '').strip().lower() == 'cancel':
cancel = request_get('CANCEL_ACTION', '')
if cancel:
# Relative URLs aren't part of the spec, but are accepted by
# some browsers.
for part, base in zip(urlparse(cancel)[:3],
urlparse(request['BASE1'])[:3]):
if not part:
continue
if not part.startswith(base):
cancel = ''
break
if cancel:
raise Redirect, cancel
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment