aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2017-01-11 13:19:13 +0000
committerSimon McVittie <smcv@debian.org>2017-01-11 18:11:07 +0000
commitb642cbef80d120df3c9f3146eb1e39dfbe395a2d (patch)
treefa86844328fa0759fd120566ef1d7d3be578696f /IkiWiki
parent3964787238ccfd4877c6a583cda5e2744887238b (diff)
downloadikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar
ikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar.gz
passwordauth: avoid userinfo forgery via repeated email parameter
OVE-20170111-0001 (cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
Diffstat (limited to 'IkiWiki')
-rw-r--r--IkiWiki/Plugin/passwordauth.pm3
1 files changed, 2 insertions, 1 deletions
diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 0dde0386e..86f93d717 100644
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -332,8 +332,9 @@ sub formbuilder (@) {
IkiWiki::cgi_postsignin($cgi, $session);
}
elsif ($form->submitted eq 'Create Account') {
+ my $email = $form->field('email');
if (IkiWiki::userinfo_setall($user_name, {
- 'email' => $form->field('email'),
+ 'email' => $email,
'regdate' => time})) {
setpassword($user_name, $form->field('password'));
$form->field(name => "confirm_password", type => "hidden");