]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/passwordauth.pm
po: Add failing test for Debian bug #911356
[git.ikiwiki.info.git] / IkiWiki / Plugin / passwordauth.pm
index 7c01bb3ffe11b0f7d36160e69de957efb659ffb7..cfa3ad41865e98cefe52295384a25c905300beb8 100644 (file)
@@ -113,7 +113,7 @@ sub gentoken ($$;$) {
 
        eval q{use CGI::Session};
        error($@) if $@;
-       my $token = CGI::Session->new->id;
+       my $token = CGI::Session->new("driver:DB_File", undef, {FileName => "/dev/null"})->id;
        if (! $reversable) {
                setpassword($user, $token, $tokenfield);
        }
@@ -231,7 +231,7 @@ sub formbuilder_setup (@) {
                                $form->field(
                                        name => "password",
                                        validate => sub {
-                                               checkpassword($form->field("name"), shift);
+                                               checkpassword(scalar $form->field("name"), shift);
                                        },
                                );
                        }
@@ -251,6 +251,12 @@ sub formbuilder_setup (@) {
                                                my $name=shift;
                                                length $name &&
                                                $name=~/$config{wiki_file_regexp}/ &&
+                                               # don't allow registering
+                                               # accounts that look like
+                                               # openids, or email
+                                               # addresses, even if the
+                                               # file regexp allows it
+                                               $name!~/[\/:\@]/ &&
                                                ! IkiWiki::userinfo_get($name, "regdate");
                                        },
                                );
@@ -299,7 +305,7 @@ sub formbuilder_setup (@) {
                                                noimageinline => 1));
                        }
                        else {
-                               $form->text("<a href=\"".
+                               $form->text("<a rel=\"nofollow\" href=\"".
                                        IkiWiki::cgiurl(do => "edit", page => $userpage).
                                        "\">".gettext("Create your user page")."</a>");
                        }
@@ -319,16 +325,20 @@ sub formbuilder (@) {
 
        if ($form->title eq "signin" || $form->title eq "register") {
                if (($form->submitted && $form->validate) || $do_register) {
+                       my $user_name = $form->field('name');
+
                        if ($form->submitted eq 'Login') {
-                               $session->param("name", $form->field("name"));
+                               $session->param("name", $user_name);
                                IkiWiki::cgi_postsignin($cgi, $session);
                        }
                        elsif ($form->submitted eq 'Create Account') {
-                               my $user_name=$form->field('name');
+                               my $email = $form->field('email');
+                               my $password = $form->field('password');
+
                                if (IkiWiki::userinfo_setall($user_name, {
-                                       'email' => $form->field('email'),
+                                       'email' => $email,
                                        'regdate' => time})) {
-                                       setpassword($user_name, $form->field('password'));
+                                       setpassword($user_name, $password);
                                        $form->field(name => "confirm_password", type => "hidden");
                                        $form->field(name => "email", type => "hidden");
                                        $form->text(gettext("Account creation successful. Now you can Login."));
@@ -338,7 +348,6 @@ sub formbuilder (@) {
                                }
                        }
                        elsif ($form->submitted eq 'Reset Password') {
-                               my $user_name=$form->field("name");
                                my $email=IkiWiki::userinfo_get($user_name, "email");
                                if (! length $email) {
                                        error(gettext("No email address, so cannot email password reset instructions."));
@@ -349,7 +358,7 @@ sub formbuilder (@) {
                                my $template=template("passwordmail.tmpl");
                                $template->param(
                                        user_name => $user_name,
-                                       passwordurl => IkiWiki::cgiurl_abs(
+                                       passwordurl => IkiWiki::cgiurl_abs_samescheme(
                                                'do' => "reset",
                                                'name' => $user_name,
                                                'token' => $token,
@@ -388,8 +397,9 @@ sub formbuilder (@) {
        elsif ($form->title eq "preferences") {
                if ($form->submitted eq "Save Preferences" && $form->validate) {
                        my $user_name=$form->field('name');
-                       if (defined $form->field("password") && length $form->field("password")) {
-                               setpassword($user_name, $form->field('password'));
+                       my $password=$form->field('password');
+                       if (defined $password && length $password) {
+                               setpassword($user_name, $password);
                        }
                }
        }