I get a 500 when I fuzz the login param: https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F Don't yet have a stacktrace, though.
This got caught in spam last night but you were off when I replied. Anyway, stacktrace: SuspiciousOperation: Unsafe redirect to http://www.google.com Powerfuzzer: v1 BETA Stacktrace (most recent call last): File "django/core/handlers/base.py", line 111, in get_response response = callback(request, *callback_args, **callback_kwargs) File "session_csrf/__init__.py", line 127, in wrapper response = f(request, *args, **kw) File "mkt/developers/views.py", line 111, in login return _login(request, template='developers/login.html') File "users/views.py", line 399, in _login request = _clean_next_url(request) File "users/views.py", line 298, in _clean_next_url raise SuspiciousOperation('Unsafe redirect to %s' % url) We should just log this and fail quietly. Hanno - want to adjust?
Assignee: nobody → hschlichting
Severity: major → normal
Target Milestone: --- → 2012-10-25
Patch created and sent in https://github.com/mozilla/zamboni/pull/465
Pull request merged.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Verified FIXED: [09:22:57.920] GET https://marketplace-dev.allizom.org/login?to=http%3A%2F%2Fwww.google.com%2F [HTTP/1.1 200 OK 452ms]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.