schooltool-developers team mailing list archive

[Gediminas Paulauskas <menesis@xxxxxx>]

2010/4/5 Douglas Cerna <douglascerna@xxxxxxxxx>:
> Alan:
>
> Try changing:
>
>>     request.response.redirect(requrl)
>
> to:
>
>>     request.response.redirect(requrl, trusted=True)
>
> in the authenticate method of the plugin in /srv/schooltool/schooltool.cas/src/schooltool/cas/__init__.py

Yes, that's how it was fixed long ago:
http://bazaar.launchpad.net/~schooltool-owners/schooltool.cas/trunk/revision/32

>
> Douglas
>
> "... allí­ es cuando te das cuenta que las cosas malas pueden resultar bastante buenas..." - Lionel Messi
>
> Por favor, evite enviarme adjuntos de Word, Excel o PowerPoint.
> Vea http://www.gnu.org/philosophy/no-word-attachments.es.html
>
>
> --- On Mon, 4/5/10, Douglas Cerna <douglascerna@xxxxxxxxx> wrote:
>
>> From: Douglas Cerna <douglascerna@xxxxxxxxx>
>> Subject: Re: [Schooltool-developers] CAS problem
>> To: "Alan Elkner" <aelkner@xxxxxxxxx>
>> Cc: "SchoolTool Developers" <schooltool-developers@xxxxxxxxxxxxxxxxxxx>
>> Date: Monday, April 5, 2010, 2:13 PM
>> Alan:
>>
>> Check for the zope.publisher PyPI page:
>>
>> http://pypi.python.org/pypi/zope.publisher
>>
>> Maybe it's related to the changes on "3.9.0 (2009-08-27)"
>>
>> """Fix #98471: Restrict redirects to current host. This
>> causes a ValueError to be raised in the case of redirecting
>> to a different host. If this is intentional, the parameter
>> trusted can be given."""
>>
>> Douglas
>>
>> "... allí­ es cuando te das cuenta que las cosas malas
>> pueden resultar bastante buenas..." - Lionel Messi
>>
>> Por favor, evite enviarme adjuntos de Word, Excel o
>> PowerPoint.
>> Vea http://www.gnu.org/philosophy/no-word-attachments.es.html
>>
>>
>> --- On Mon, 4/5/10, Alan Elkner <aelkner@xxxxxxxxx>
>> wrote:
>>
>> > From: Alan Elkner <aelkner@xxxxxxxxx>
>> > Subject: [Schooltool-developers] CAS problem
>> > To: schooltool-developers@xxxxxxxxxxxxxxxxxxx
>> > Date: Monday, April 5, 2010, 2:03 PM
>> > Could it be that we need to change
>> > something in schooltool.cas as a
>> > result of using new zope packages?  Starting
>> > schooltool at SLA with
>> > CAS enabled gives the following error:
>> >
>> > Traceback (most recent call last):
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.publisher-3.11.0-py2.5.egg/zope/publisher/publish.py",
>> > line 131, in publish
>> >     obj = request.traverse(obj)
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.publisher-3.11.0-py2.5.egg/zope/publisher/browser.py",
>> > line 542, in traverse
>> >     ob = super(BrowserRequest,
>> > self).traverse(obj)
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.publisher-3.11.0-py2.5.egg/zope/publisher/http.py",
>> > line 456, in traverse
>> >     ob = super(HTTPRequest, self).traverse(obj)
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.publisher-3.11.0-py2.5.egg/zope/publisher/base.py",
>> > line 250, in traverse
>> >     publication.callTraversalHooks(self, obj)
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.app.publication-3.10.0-py2.5.egg/zope/app/publication/zopepublication.py",
>> > line 135, in callTraversalHooks
>> >     self._maybePlacefullyAuthenticate(request,
>> > ob)
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.app.publication-3.10.0-py2.5.egg/zope/app/publication/zopepublication.py",
>> > line 122, in _maybePlacefullyAuthenticate
>> >     principal = auth.authenticate(request)
>> >   File
>> >
>> "/srv/schooltool/schooltool/src/schooltool/app/security.py",
>> > line 219, in authenticate
>> >     return self.authPlugin.authenticate(request)
>> >   File
>> >
>> "/srv/schooltool/schooltool.cas/src/schooltool/cas/__init__.py",
>> > line 125, in authenticate
>> >     request.response.redirect(requrl)
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.publisher-3.11.0-py2.5.egg/zope/publisher/browser.py",
>> > line 761, in redirect
>> >     return super(BrowserResponse,
>> > self).redirect(location, status, trusted)
>> >   File
>> >
>> "/srv/schooltool/schooltool/eggs/zope.publisher-3.11.0-py2.5.egg/zope/publisher/http.py",
>> > line 888, in redirect
>> >     % target_host)
>> > ValueError: Untrusted redirect to host
>> 'sla.cas.host:443'
>> > not allowed.
>> >
>> > I replaced the actual host name with a fake one in
>> this
>> > note for
>> > security reasons.  I know the cas server name (the
>> > real one) is right
>> > and that it worked using the older version of
>> schooltool
>> > which in turn
>> > used older zope packages, so that's why Chris
>> suggested
>> > that there may
>> > have been a change in zope to cause the error.  That
>> > may be the case,
>> > but I don't know why.
>> >
>> > Does anybody have any ideas?
>> >
>> > _______________________________________________
>> > Mailing list: https://launchpad.net/~schooltool-developers
>> > Post to     : schooltool-developers@xxxxxxxxxxxxxxxxxxx
>> > Unsubscribe : https://launchpad.net/~schooltool-developers
>> > More help   : https://help.launchpad.net/ListHelp
>> >
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~schooltool-developers
>> Post to     : schooltool-developers@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~schooltool-developers
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~schooltool-developers
> Post to     : schooltool-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~schooltool-developers
> More help   : https://help.launchpad.net/ListHelp
>