CGI, attachment, passwordauth: harden against repeated parameters

These instances of code similar to OVE-20170111-0001 are not believed to be exploitable, because defined(), length(), setpassword(), userinfo_set() and the binary "." operator all have prototypes that force the relevant argument to be evaluated in scalar context. However, using a safer idiom makes mistakes less likely. (cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
author: Simon McVittie <smcv@debian.org> 2017-01-11 13:22:03 +0000
committer: Simon McVittie <smcv@debian.org> 2017-01-11 18:11:07 +0000
commit: d157a97452ae0641f87996b6d0f21c9d222cef3d (patch)
tree: ef0032b1d5f83010b0f084557fc3690c9b46a7b9 /IkiWiki/CGI.pm
parent: b642cbef80d120df3c9f3146eb1e39dfbe395a2d (diff)
download: ikiwiki-d157a97452ae0641f87996b6d0f21c9d222cef3d.tar
ikiwiki-d157a97452ae0641f87996b6d0f21c9d222cef3d.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index 89f4f2d73..1db96f9f2 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -294,8 +294,9 @@ sub cgi_prefs ($$) {
 		return;
 	}
 	elsif ($form->submitted eq 'Save Preferences' && $form->validate) {
-		if (defined $form->field('email')) {
-			userinfo_set($user_name, 'email', $form->field('email')) ||
+		my $email = $form->field('email');
+		if (defined $email) {
+			userinfo_set($user_name, 'email', $email) ||
 				error("failed to set email");
 		}
author	Simon McVittie <smcv@debian.org>	2017-01-11 13:22:03 +0000
committer	Simon McVittie <smcv@debian.org>	2017-01-11 18:11:07 +0000
commit	d157a97452ae0641f87996b6d0f21c9d222cef3d (patch)
tree	ef0032b1d5f83010b0f084557fc3690c9b46a7b9 /IkiWiki/CGI.pm
parent	b642cbef80d120df3c9f3146eb1e39dfbe395a2d (diff)
download	ikiwiki-d157a97452ae0641f87996b6d0f21c9d222cef3d.tar ikiwiki-d157a97452ae0641f87996b6d0f21c9d222cef3d.tar.gz