python - Django: information leakage problem when using @login_required and setting LOGIN_URL -

-

i found form of information leakage when using @login_required decorator , setting login_url variable.

i have site requires mandatory login content. problem redirected login page next variable set when it's existing page.

so when not logged in , asking for:

 http://localhost:8000/validurl/

you see this:

 http://localhost:8000/login/?next=/validurl/

and when requesting non existing page:

 http://localhost:8000/faultyurl/

you see this:

 http://localhost:8000/login/

which reveals information dont want. thought of overriding login method, forcing next empty , calling 'super' on subclassed method.

an additional problem of tests fail without login_url set. redirect '/accounts/login/' instead of '/login/'. hence why i'd use login_url disable 'auto next' feature.

anybody can shed light on subject?

thanx lot.

gerard.

you can include line last pattern in urls.py file. re-route urls not match other pattern login page.

urlpatterns = patterns('',      ...      (r'^(?p<path>.+)$', 'django.views.generic.simple.redirect_to', {         'url': '/login/?next=/%(path)s',          'permanent': false     }), )

edit: keep raising 404 pages authenticated users, following:

from django.http import http404, httpresponseredirect def fake_redirect(request, path):     if request.user.is_authenticated:         raise http404()     else:         return httpresponseredirect('/login/?next=/%s' % path)  urlpatterns = patterns('',      ...      (r'^(?p<path>.+)$', fake_redirect), )

Comments

Post a Comment

Popular posts from this blog

ruby - When to use an ORM (Sequel, Datamapper, AR, etc.) vs. pure SQL for querying -

-
a colleague of mine designing sql queries 1 below produce reports, displayed in excel files through external data query. @ present, reporting processes on db required (no crud operations). i trying convince him better use ruby orm in order able display data in rails/sinatra app. despite obvious advantages in displaying data, advantages there him in learning use orm sequel or datamapper? the sql queries writing quite complex, , being relatively new sql, complains time-consuming , confusing. possible write extremely complex queries orm? , if so, suitable(i have heard sequel legacy dbs)? , advantages of learning ruby , using orm versus sticking plain sql, in making complex database queries? i'm datamapper maintainer, , think complex reporting should use sql. while think someday we'll have dsl provides power , conciseness of sql, i've seen far requires write more ruby code sql complex queries. rather maintain 5 line sql query 10-15 lines of ruby code desc...
Read more

php - PHPDoc: @return void necessary? -

-
is necessary this: /** * ... * * @return void */ i have quite few methods don't have return value, , seems redundant put in comment. considered bad form leave out? if makes clear documentation, leave in, isn't strictly necessary. it's entirely subjective decision. personally, leave out. edit stand corrected. after little googling, wikipedia page says: @return [type description] tag should not used constructors or methods defined void return type. the phpdoc.org website says: @return datatype description @return datatype1|datatype2 description the @return tag used document return value of functions or methods. @returns alias @return support tag formats of other automatic documentors the datatype should valid php type (int, string, bool, etc), class name type of object returned, or "mixed". if want explicitly show multiple possible return types, list them pipe-delimited without spaces (e.g. "@retur...
Read more

c++ - Convert big endian to little endian when reading from a binary file -

-
this question has answer here: how convert between big-endian , little-endian values in c++? 28 answers i've been looking around how convert big-endian little-endians. didn't find solve problem. seem there's many way can conversion. anyway following code works ok in big-endian system. how should write conversion function work on little-endian system well? this homework, since systems @ school running big-endian system. it's got curious , wanted make work on home computer also #include <iostream> #include <fstream> using namespace std; int main() { ifstream file; file.open("file.bin", ios::in | ios::binary); if(!file) cerr << "not able read" << endl; else { cout << "opened" << endl; int i_var; double d_var; while(!file.eof()) {...
Read more