diff options
author | Simon McVittie <smcv@debian.org> | 2017-01-11 13:22:03 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2017-01-11 18:11:07 +0000 |
commit | d157a97452ae0641f87996b6d0f21c9d222cef3d (patch) | |
tree | ef0032b1d5f83010b0f084557fc3690c9b46a7b9 /IkiWiki/CGI.pm | |
parent | b642cbef80d120df3c9f3146eb1e39dfbe395a2d (diff) | |
download | ikiwiki-d157a97452ae0641f87996b6d0f21c9d222cef3d.tar ikiwiki-d157a97452ae0641f87996b6d0f21c9d222cef3d.tar.gz |
CGI, attachment, passwordauth: harden against repeated parameters
These instances of code similar to OVE-20170111-0001 are not believed
to be exploitable, because defined(), length(), setpassword(),
userinfo_set() and the binary "." operator all have prototypes that
force the relevant argument to be evaluated in scalar context. However,
using a safer idiom makes mistakes less likely.
(cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
Diffstat (limited to 'IkiWiki/CGI.pm')
-rw-r--r-- | IkiWiki/CGI.pm | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 89f4f2d73..1db96f9f2 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -294,8 +294,9 @@ sub cgi_prefs ($$) { return; } elsif ($form->submitted eq 'Save Preferences' && $form->validate) { - if (defined $form->field('email')) { - userinfo_set($user_name, 'email', $form->field('email')) || + my $email = $form->field('email'); + if (defined $email) { + userinfo_set($user_name, 'email', $email) || error("failed to set email"); } |