diff options
author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2013-01-21 05:23:51 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2013-01-21 05:23:51 +0100 |
commit | 6ebe4849dd75ec01197bf465ea20b6aa74e770a1 (patch) | |
tree | a038b1064484e3f4b99a4d2c3773b1362fbd267f /lib/Fripost/Panel | |
parent | 49bf1466958645b24b113a40d126d84fec9a941b (diff) |
More secure way to check unlock tokens.
Diffstat (limited to 'lib/Fripost/Panel')
-rw-r--r-- | lib/Fripost/Panel/Interface.pm | 7 | ||||
-rw-r--r-- | lib/Fripost/Panel/Login.pm | 4 |
2 files changed, 7 insertions, 4 deletions
diff --git a/lib/Fripost/Panel/Interface.pm b/lib/Fripost/Panel/Interface.pm index e4724d1..cc7545a 100644 --- a/lib/Fripost/Panel/Interface.pm +++ b/lib/Fripost/Panel/Interface.pm @@ -66,8 +66,9 @@ sub ListLocals : Runmode { my $fp = Fripost::Schema::->SASLauth( $self->authen->username, %CFG ); my $q = $self->query; - if (defined $q->param('unlock') and $q->param('unlock') ne '') { - $fp->domain->unlock( $d, $q->param('unlock') ); + if (defined $q->param('unlock')) { + $fp->domain->unlock( $d, $q->param('unlock') ) + if $q->param('unlock') ne ''; $fp->done; return $self->redirect('../'); } @@ -224,6 +225,7 @@ sub EditLocal : Runmode { # Search for *the* matching user, alias or list. my ($d,$l) = ($self->split_path)[1,2]; + $fp->domain->get ($d, -die => 404, -attrs => []); my %local = $fp->local->get ($l.'@'.$d, -die => 404, -concat => "\x{0D}\x{0A}" ); die "Unknown type" unless grep { $local{type} eq $_ } @@ -486,6 +488,7 @@ sub AddLocal : Runmode { unless ($error) { my $fp = Fripost::Schema::->SASLauth( $self->authen->username, %CFG ); + $fp->domain->get ($d, -die => 404, -attrs => []); $error = $fp->$t->add( \%entry, -concat => "(\n|\x{0D}\x{0A})", %rest); $fp->done; return $self->redirect('./') unless $error; diff --git a/lib/Fripost/Panel/Login.pm b/lib/Fripost/Panel/Login.pm index b0906b3..e0ee02f 100644 --- a/lib/Fripost/Panel/Login.pm +++ b/lib/Fripost/Panel/Login.pm @@ -192,7 +192,7 @@ sub error_rm : ErrorRunmode { my $self = shift; my $error = shift; - if ($error =~ /^4\d+$/) { + if ($error =~ /^\d+$/) { # HTTP client error. chomp $error; $self->header_props ( -status => $error ); @@ -213,7 +213,7 @@ sub error_rm : ErrorRunmode { # Users are not supposed to see that unless the CGI crashes :P my $template = $self->load_tmpl( 'error.html', cache => 1 ); $template->param( email => $self->cfg('report_email') ); - $template->param( message => $error ); + $template->param( message => encode_entities ($error) ); $template->param( url => $self->query->url . '/'); return $template->output; } |