diff options
| author | Simon McVittie <smcv@debian.org> | 2017-01-11 13:19:13 +0000 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2017-01-11 18:11:07 +0000 |
| commit | b642cbef80d120df3c9f3146eb1e39dfbe395a2d (patch) | |
| tree | fa86844328fa0759fd120566ef1d7d3be578696f /IkiWiki | |
| parent | 3964787238ccfd4877c6a583cda5e2744887238b (diff) | |
| download | ikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar ikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar.gz | |
passwordauth: avoid userinfo forgery via repeated email parameter
OVE-20170111-0001
(cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
Diffstat (limited to 'IkiWiki')
| -rw-r--r-- | IkiWiki/Plugin/passwordauth.pm | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm index 0dde0386e..86f93d717 100644 --- a/IkiWiki/Plugin/passwordauth.pm +++ b/IkiWiki/Plugin/passwordauth.pm @@ -332,8 +332,9 @@ sub formbuilder (@) { IkiWiki::cgi_postsignin($cgi, $session); } elsif ($form->submitted eq 'Create Account') { + my $email = $form->field('email'); if (IkiWiki::userinfo_setall($user_name, { - 'email' => $form->field('email'), + 'email' => $email, 'regdate' => time})) { setpassword($user_name, $form->field('password')); $form->field(name => "confirm_password", type => "hidden"); |