[TYPO3-core] RFC: #11396: redirects not working for felogin on pages with access set
Steffen Kamper
info at sk-typo3.de
Tue Sep 8 21:09:25 CEST 2009
Hi Ernesto,
Ernesto Baschny [cron IT] schrieb:
> Hi,
>
> haven't tested the patch, but setting ###ACTION_URI### to a string which
> might potentially come (unchecked!) from a GET parameter can be pretty
> dangerous. There is already code doing that in felogin, AFAIK, so this
> has to be checked anyway.
>
as we already talked about, i will provide a patch to validate
return_url. The check shouldn't be done at this place, and writing
return_url to action or do a redirect with it doesn't make a difference,
so this patch isn't affected from this problem.
vg Steffen
More information about the TYPO3-team-core
mailing list