]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/CGI.pm
projects / git.ikiwiki.info.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
passwordauth: prevent authentication bypass via multiple name parameters
[git.ikiwiki.info.git] / IkiWiki / CGI.pm
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index 6a04decb617571c9a8f6ea6e206663f177bd24de..b6923b54f89e55e0878977fdc906d849baa81e9f 100644 (file)
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -131,7 +131,7 @@ sub needsignin ($$) {
 
        if (! defined $session->param("name") ||
            ! userinfo_get($session->param("name"), "regdate")) {
-               $session->param(postsignin => $ENV{QUERY_STRING});
+               $session->param(postsignin => $q->query_string);
                cgi_signin($q, $session);
                cgi_savesession($session);
                exit;
@@ -429,7 +429,7 @@ sub cgi (;$$) {
                        # userinfo db.
                        if (! userinfo_get($session->param("name"), "regdate")) {
                                userinfo_setall($session->param("name"), {
-                                       email => "",
+                                       email => defined $session->param("email") ? $session->param("email") : "",
                                        password => "",
                                        regdate => time,
                                }) || error("failed adding user");
@@ -460,6 +460,9 @@ sub cgi (;$$) {
 sub cgierror ($) {
        my $message=shift;
 
+       eval q{use HTML::Entities};
+       $message = encode_entities($message);
+
        print "Content-type: text/html\n\n";
        print cgitemplate(undef, gettext("Error"),
                "<p class=\"error\">".gettext("Error").": $message</p>");
Unnamed repository; edit this file 'description' to name the repository.