From b642cbef80d120df3c9f3146eb1e39dfbe395a2d Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 11 Jan 2017 13:19:13 +0000
Subject: passwordauth: avoid userinfo forgery via repeated email parameter

OVE-20170111-0001

(cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
---
 IkiWiki/Plugin/passwordauth.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'IkiWiki')

diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 0dde0386e..86f93d717 100644
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -332,8 +332,9 @@ sub formbuilder (@) {
 				IkiWiki::cgi_postsignin($cgi, $session);
 			}
 			elsif ($form->submitted eq 'Create Account') {
+				my $email = $form->field('email');
 				if (IkiWiki::userinfo_setall($user_name, {
-				    	'email' => $form->field('email'),
+					'email' => $email,
 					'regdate' => time})) {
 					setpassword($user_name, $form->field('password'));
 					$form->field(name => "confirm_password", type => "hidden");
-- 
cgit v1.2.3