From 2bece6abde54881bb074dd44e7f87885eab4a777 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 29 Sep 2012 02:03:21 +0200 Subject: Proper escaping of URIs. --- lib/Fripost/Panel/Login.pm | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) (limited to 'lib/Fripost/Panel/Login.pm') diff --git a/lib/Fripost/Panel/Login.pm b/lib/Fripost/Panel/Login.pm index 86b3e66..810f9e1 100644 --- a/lib/Fripost/Panel/Login.pm +++ b/lib/Fripost/Panel/Login.pm @@ -20,8 +20,9 @@ use CGI::Application::Plugin::Redirect; use CGI::Application::Plugin::ConfigAuto 'cfg'; use Fripost::Schema; -use HTML::Entities; -use Net::IDN::Encode qw/email_to_ascii/; +use HTML::Entities 'encode_entities'; +use URI::Escape::XS 'decodeURIComponent'; +use Net::IDN::Encode 'email_to_ascii'; # This method is called right before the 'setup' method below. It @@ -62,7 +63,7 @@ sub cgiapp_init { $u .= '@'.$CFG{default_realm}; } Encode::_utf8_on($u); - $u = Net::IDN::Encode::email_to_ascii($u); + $u = email_to_ascii($u); my $fp = Fripost::Schema::->auth($u, $p, ldap_uri => $CFG{ldap_uri}, ldap_suffix => $CFG{ldap_suffix}, @@ -80,7 +81,7 @@ sub cgiapp_init { ); # The run modes that require authentication - $self->authen->protected_runmodes( qw /okay error_rm/ ); + $self->authen->protected_runmodes( qw/okay error_rm/ ); } @@ -105,7 +106,7 @@ sub setup { return 'logout' if defined $a and $a eq 'logout'; # /domain/{user,alias,list}/?query_url - my ($null,$domain,$local,$crap) = split /\//, $ENV{PATH_INFO}; + my ($null,$domain,$local,$crap) = $self->split_path; return 'ListDomains' unless (defined $null) and $null eq ''; @@ -164,7 +165,7 @@ sub login : Runmode { sub login_box { my $self = shift; - my $template = $self->load_tmpl( 'login.html', cache => 1, utf8 => 1 ); + my $template = $self->load_tmpl( 'login.html', cache => 1 ); $template->param( error => $self->authen->login_attempts ); $template->param( redirect => $self->query->param('redirect') ); @@ -199,7 +200,7 @@ sub error_rm : ErrorRunmode { # HTTP client error. chomp $error; $self->header_props ( -status => $error ); - my $template = $self->load_tmpl( 'error_http.html', cache => 1, utf8 => 1 ); + my $template = $self->load_tmpl( 'error_http.html', cache => 1 ); my $mesg; if ($error eq '403' ) { $mesg = 'Forbidden' @@ -214,7 +215,7 @@ sub error_rm : ErrorRunmode { else { # Users are not supposed to see that unless the CGI crashes :P - my $template = $self->load_tmpl( 'error.html', cache => 1, utf8 => 1 ); + my $template = $self->load_tmpl( 'error.html', cache => 1 ); $template->param( email => $self->cfg('report_email') ); $template->param( message => $error ); $template->param( url => $self->query->url . '/'); @@ -222,6 +223,19 @@ sub error_rm : ErrorRunmode { } } +sub split_path { + my $self = shift; + my %options = @_; + + my $script = $ENV{SCRIPT_NAME} // ''; + my $uri = $self->query->request_uri; + $uri =~ s/^$script//s; + $uri =~ s/\?.*//s; + + map { my $x = decodeURIComponent($_); Encode::_utf8_on($x); $x } + (split /\//, $uri); +} + =head1 AUTHOR -- cgit v1.2.3