Skip to content

Commit

Permalink
Prevent arbitrary redirections via faked "CANCEL" buttons.
Browse files Browse the repository at this point in the history 
Fixes LP #1094144.
  • Loading branch information
@tseaver
tseaver committed Jul 5, 2013
1 parent 2bd0564 commit 35cd714
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 4 deletions.
2 changes: 2 additions & 0 deletions doc/CHANGES.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
2.13.21 (unreleased)
--------------------

- LP #1094144: prevent arbitrary redirections via faked "CANCEL" buttons.

- LP #1094221: add permissions to some unprotected methods of
``OFS.ObjectManager``.

Expand Down
20 changes: 16 additions & 4 deletions src/ZPublisher/Publish.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,11 @@
##############################################################################
"""Python Object Publisher -- Publish Python objects on web servers
"""

import sys, os
import os
import sys
import transaction
from urlparse import urlparse

from Response import Response
from Request import Request
from maybe_lock import allocate_lock
Expand Down Expand Up @@ -89,8 +91,18 @@ def publish(request, module_name, after_list, debug=0,
response=request.response

# First check for "cancel" redirect:
if request_get('SUBMIT','').strip().lower()=='cancel':
cancel=request_get('CANCEL_ACTION','')
if request_get('SUBMIT', '').strip().lower() == 'cancel':
cancel = request_get('CANCEL_ACTION', '')
if cancel:
# Relative URLs aren't part of the spec, but are accepted by
# some browsers.
for part, base in zip(urlparse(cancel)[:3],
urlparse(request['BASE1'])[:3]):
if not part:
continue
if not part.startswith(base):
cancel = ''
break
if cancel:
raise Redirect, cancel

Expand Down

0 comments on commit 35cd714

Please sign in to comment.