If you do have two _next variables in the query string, you might want to
figure out if that is a bug, and if not, you have to decide which of the
two is the correct one to use.
Anthony
On Tuesday, August 4, 2015 at 11:14:52 AM UTC-4, Massimo Di Pierro wrote:
>
> No a security issue but definitively something is wrong. Not in the call
> you show but it appears some times you have two _next parameters as in
>
> ...login/_next=...&_next=....
>
> so in your code you should do
> if isinstance(request.vars._next, list): request.vars._next = request.vars
> ._next[0]
> if 'default/index' in request.vars._next: do something...
>
> On Sunday, 2 August 2015 21:01:45 UTC-5, Alex Glaros wrote:
>>
>> I typed this in user.html
>>
>> {{=request.get_vars}} : print request.get_vars <br>
>> {{=request.post_vars}} : print request.post_vars
>>
>>
>> and got this:
>>
>> <Storage {'_next': '/ES1/default/index'}> : print request.get_vars
>> <Storage {}> : print request.post_vars
>>
>> It's a little over my head so will postpone working on it until I know
>> w2p a little better. Unless anyone thinks this is a major security issue.
>>
>> thanks
>>
>> Alex
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
