From 6ebe4849dd75ec01197bf465ea20b6aa74e770a1 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Mon, 21 Jan 2013 05:23:51 +0100
Subject: More secure way to check unlock tokens.

---
 lib/Fripost/Panel/Interface.pm | 7 +++++--
 lib/Fripost/Panel/Login.pm     | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

(limited to 'lib/Fripost/Panel')

diff --git a/lib/Fripost/Panel/Interface.pm b/lib/Fripost/Panel/Interface.pm
index e4724d1..cc7545a 100644
--- a/lib/Fripost/Panel/Interface.pm
+++ b/lib/Fripost/Panel/Interface.pm
@@ -66,8 +66,9 @@ sub ListLocals : Runmode {
     my $fp = Fripost::Schema::->SASLauth( $self->authen->username, %CFG );
 
     my $q = $self->query;
-    if (defined $q->param('unlock') and $q->param('unlock') ne '') {
-        $fp->domain->unlock( $d, $q->param('unlock') );
+    if (defined $q->param('unlock')) {
+        $fp->domain->unlock( $d, $q->param('unlock') )
+            if $q->param('unlock') ne '';
         $fp->done;
         return $self->redirect('../');
     }
@@ -224,6 +225,7 @@ sub EditLocal : Runmode {
 
     # Search for *the* matching user, alias or list.
     my ($d,$l) = ($self->split_path)[1,2];
+    $fp->domain->get ($d, -die => 404, -attrs => []);
     my %local = $fp->local->get ($l.'@'.$d, -die => 404,
                                             -concat => "\x{0D}\x{0A}" );
     die "Unknown type" unless grep { $local{type} eq $_ }
@@ -486,6 +488,7 @@ sub AddLocal : Runmode {
 
         unless ($error) {
             my $fp = Fripost::Schema::->SASLauth( $self->authen->username, %CFG );
+            $fp->domain->get ($d, -die => 404, -attrs => []);
             $error = $fp->$t->add( \%entry, -concat => "(\n|\x{0D}\x{0A})", %rest);
             $fp->done;
             return $self->redirect('./') unless $error;
diff --git a/lib/Fripost/Panel/Login.pm b/lib/Fripost/Panel/Login.pm
index b0906b3..e0ee02f 100644
--- a/lib/Fripost/Panel/Login.pm
+++ b/lib/Fripost/Panel/Login.pm
@@ -192,7 +192,7 @@ sub error_rm : ErrorRunmode {
     my $self = shift;
     my $error = shift;
 
-    if ($error =~ /^4\d+$/) {
+    if ($error =~ /^\d+$/) {
         # HTTP client error.
         chomp $error;
         $self->header_props ( -status => $error );
@@ -213,7 +213,7 @@ sub error_rm : ErrorRunmode {
         # Users are not supposed to see that unless the CGI crashes :P
         my $template = $self->load_tmpl( 'error.html', cache => 1 );
         $template->param( email => $self->cfg('report_email') );
-        $template->param( message => $error );
+        $template->param( message => encode_entities ($error) );
         $template->param( url => $self->query->url . '/');
         return $template->output;
     }
-- 
cgit v1.2.3