Hello Amaya,
Amaya wrote (Sun 2006-Dec-31 12:44:16 +0100):
> > Please note that this change does not match the syntax suggested for
> > the value of DefaultUrlHost in LocalSite.cfg: A trailing slash is
> > given in the default config but excluded from the first pair of
> > brackets in the above regular expression.
..
> Can you provide a patch? I am just sponsoring twiki and I am not
> familiar enough with it yet. Sven is on holidays, so he might be away
> from the computer at the moment.
Well, I'd change the error message to contain information about
the reason for the denial of the request:
Sven's version:
params => [ 'redirect', 'unsafe redirect to '.$url ]);
A suggestion:
params => [ 'redirect', 'unsafe redirect to '.$url.': '.$host.' does not
match DefaultUrlHost' ]);
I would hope that any TWiki admin would be able to find
DefaultUrlHost in /etc/twiki and note the difference.
Since I don't fully understand the intentions behind the regular
expression matching on the redirection target and don't know the
code creating and handling this piece of information, I can't
suggest a good replacement. What happens if the (malicious)
redirect points to a target such as "bad.server" instead of
"http://bad.server"; (if this is possible at all) -- which
wouldn't match the expression anyway but might be supported by a
lot of browsers and thus be successful?
Cheers, Marcus
--
Marcus C. Gottwald
Quantum Hydrometrie GmbH, Zossener Str. 55, 10961 Berlin, Germany
Tel: +49.(0)30.698110-0, Fax: +49.(0)30.698110-99
eMail: <[EMAIL PROTECTED]>
Web: http://www.quantum-hydrometrie.de
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
