The _next variable allows redirecting the user to an arbitrary URI, exposing a potential security flaw. One of my company's web2py apps was tagged as having this issue in a routine 3rd party scan. I am fixing this for the web2y we use by creating a whitelist feature, is this something I should contribute back? Not sure if this is a design philosophy difference or an oversight.
--
-- mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.