passwordauth: avoid userinfo forgery via repeated email parameter

OVE-20170111-0001 (cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
author: Simon McVittie <smcv@debian.org> 2017-01-11 13:19:13 +0000
committer: Simon McVittie <smcv@debian.org> 2017-01-11 18:11:07 +0000
commit: b642cbef80d120df3c9f3146eb1e39dfbe395a2d (patch)
tree: fa86844328fa0759fd120566ef1d7d3be578696f /IkiWiki
parent: 3964787238ccfd4877c6a583cda5e2744887238b (diff)
download: ikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar
ikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 0dde0386e..86f93d717 100644
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -332,8 +332,9 @@ sub formbuilder (@) {
 				IkiWiki::cgi_postsignin($cgi, $session);
 			}
 			elsif ($form->submitted eq 'Create Account') {
+				my $email = $form->field('email');
 				if (IkiWiki::userinfo_setall($user_name, {
-				    	'email' => $form->field('email'),
+					'email' => $email,
 					'regdate' => time})) {
 					setpassword($user_name, $form->field('password'));
 					$form->field(name => "confirm_password", type => "hidden");
author	Simon McVittie <smcv@debian.org>	2017-01-11 13:19:13 +0000
committer	Simon McVittie <smcv@debian.org>	2017-01-11 18:11:07 +0000
commit	b642cbef80d120df3c9f3146eb1e39dfbe395a2d (patch)
tree	fa86844328fa0759fd120566ef1d7d3be578696f /IkiWiki
parent	3964787238ccfd4877c6a583cda5e2744887238b (diff)
download	ikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar ikiwiki-b642cbef80d120df3c9f3146eb1e39dfbe395a2d.tar.gz