This PR is a response to two security issues flagged up to the Plone security list (security@plone.org):
The Cookie Auth Helper doesn't do any input checking on the came_from URL and allows everything, including URLs with different hostnames. It's an open redirect: https://cwe.mitre.org/data/definitions/601.html. The PR fixes it by always removing the protocol and host parts before doing the redirect, thereby limiting the redirect to the site that showed the login form.
The enumerateRoles method on the ZODB Role Manager had no permission assigned to it, making it accessible for everyone, inclusing anonymous visitors. That's is an information disclosure vulnerability. This PR declares the method private, like all other enumerateXXX methods on the other plugins.
This PR is a response to two security issues flagged up to the Plone security list (security@plone.org):
came_fromURL and allows everything, including URLs with different hostnames. It's an open redirect: https://cwe.mitre.org/data/definitions/601.html. The PR fixes it by always removing the protocol and host parts before doing the redirect, thereby limiting the redirect to the site that showed the login form.enumerateRolesmethod on the ZODB Role Manager had no permission assigned to it, making it accessible for everyone, inclusing anonymous visitors. That's is an information disclosure vulnerability. This PR declares the method private, like all otherenumerateXXXmethods on the other plugins.