Test multiple camefrom params

zopefoundation · May 2, 2017 · 63e6cc9 · 63e6cc9
1 parent bb7a9fe
commit 63e6cc9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/src/zope/app/authentication/browser/loginform.py b/src/zope/app/authentication/browser/loginform.py
@@ -32,10 +32,9 @@ def __call__(self):
         self.unauthenticated = unauthenticated
 
         camefrom = request.get('camefrom')
-        if isinstance(camefrom, list): # pragma: no cover
-            # this can happen on python2.6, as it changed the
-            # behaviour of cgi.FieldStorage a bit.
-            # XXX: Just Python 2.6 or later too? Tests don't produce this.
+        if isinstance(camefrom, list):
+            # Beginning on python2.6 this happens if the parameter is
+            # supplied more than once
             camefrom = camefrom[0]
         self.camefrom = camefrom
 

diff --git a/src/zope/app/authentication/browser/principalfolder.rst b/src/zope/app/authentication/browser/principalfolder.rst
@@ -88,19 +88,21 @@ the users folder as the authenticator plugin, and the session utility as the cre
   ...  r"""UPDATE_SUBMIT=Change&field.credentialsPlugins=U2Vzc2lvbiBDcmVkZW50aWFscw==&field.authenticatorPlugins=dXNlcnM="""
   ...  """&field.credentialsPlugins.to=U2Vzc2lvbiBDcmVkZW50aWFscw==&field.authenticatorPlugins.to=dXNlcnM=""")
 
-Now, with this in place, Bob can log in, but he isn't allowed to
-access the management interface. When he attempts to do so, the PAU
-issues a challenge to let bob login as a different user
+Now, with this in place, Bob can log in (incidentally , if Bob
+accidentally sends two values for the ``camefrom`` parameter, only the
+first is respected):
 
-  >>> bob_browser.open("/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%2F")
+  >>> bob_browser.open("/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%2F&camefrom=foo")
   >>> bob_browser.getControl(name="login").value = 'bob'
   >>> bob_browser.getControl(name="password").value = 'bob'
   >>> bob_browser.getControl(name="SUBMIT").click()
   >>> print(bob_browser.url)
   http://localhost/
 
-When he attempts to do so, the PAU issues a challenge to let bob login
-as a different user
+
+However, Bob isn't allowed to access the management interface. When he
+attempts to do so, the PAU issues a challenge to let bob login as a
+different user:
 
   >>> bob_browser.open("/+")
   >>> print(bob_browser.url)