aboutsummaryrefslogtreecommitdiffstats
path: root/lib/Fripost/Panel
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-21 05:23:51 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-21 05:23:51 +0100
commit6ebe4849dd75ec01197bf465ea20b6aa74e770a1 (patch)
treea038b1064484e3f4b99a4d2c3773b1362fbd267f /lib/Fripost/Panel
parent49bf1466958645b24b113a40d126d84fec9a941b (diff)
More secure way to check unlock tokens.
Diffstat (limited to 'lib/Fripost/Panel')
-rw-r--r--lib/Fripost/Panel/Interface.pm7
-rw-r--r--lib/Fripost/Panel/Login.pm4
2 files changed, 7 insertions, 4 deletions
diff --git a/lib/Fripost/Panel/Interface.pm b/lib/Fripost/Panel/Interface.pm
index e4724d1..cc7545a 100644
--- a/lib/Fripost/Panel/Interface.pm
+++ b/lib/Fripost/Panel/Interface.pm
@@ -66,8 +66,9 @@ sub ListLocals : Runmode {
my $fp = Fripost::Schema::->SASLauth( $self->authen->username, %CFG );
my $q = $self->query;
- if (defined $q->param('unlock') and $q->param('unlock') ne '') {
- $fp->domain->unlock( $d, $q->param('unlock') );
+ if (defined $q->param('unlock')) {
+ $fp->domain->unlock( $d, $q->param('unlock') )
+ if $q->param('unlock') ne '';
$fp->done;
return $self->redirect('../');
}
@@ -224,6 +225,7 @@ sub EditLocal : Runmode {
# Search for *the* matching user, alias or list.
my ($d,$l) = ($self->split_path)[1,2];
+ $fp->domain->get ($d, -die => 404, -attrs => []);
my %local = $fp->local->get ($l.'@'.$d, -die => 404,
-concat => "\x{0D}\x{0A}" );
die "Unknown type" unless grep { $local{type} eq $_ }
@@ -486,6 +488,7 @@ sub AddLocal : Runmode {
unless ($error) {
my $fp = Fripost::Schema::->SASLauth( $self->authen->username, %CFG );
+ $fp->domain->get ($d, -die => 404, -attrs => []);
$error = $fp->$t->add( \%entry, -concat => "(\n|\x{0D}\x{0A})", %rest);
$fp->done;
return $self->redirect('./') unless $error;
diff --git a/lib/Fripost/Panel/Login.pm b/lib/Fripost/Panel/Login.pm
index b0906b3..e0ee02f 100644
--- a/lib/Fripost/Panel/Login.pm
+++ b/lib/Fripost/Panel/Login.pm
@@ -192,7 +192,7 @@ sub error_rm : ErrorRunmode {
my $self = shift;
my $error = shift;
- if ($error =~ /^4\d+$/) {
+ if ($error =~ /^\d+$/) {
# HTTP client error.
chomp $error;
$self->header_props ( -status => $error );
@@ -213,7 +213,7 @@ sub error_rm : ErrorRunmode {
# Users are not supposed to see that unless the CGI crashes :P
my $template = $self->load_tmpl( 'error.html', cache => 1 );
$template->param( email => $self->cfg('report_email') );
- $template->param( message => $error );
+ $template->param( message => encode_entities ($error) );
$template->param( url => $self->query->url . '/');
return $template->output;
}