passwordauth: avoid userinfo forgery via repeated email parameter

OVE-20170111-0001

(cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)

diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 0dde0386e7efce0e10624fb8b8b33e6e14f3e032..86f93d717416349f98ace5e58e80e03d18894426 100644 (file)
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -332,8 +332,9 @@ sub formbuilder (@) {
                                IkiWiki::cgi_postsignin($cgi, $session);
                        }
                        elsif ($form->submitted eq 'Create Account') {
                                IkiWiki::cgi_postsignin($cgi, $session);
                        }
                        elsif ($form->submitted eq 'Create Account') {

+                               my $email = $form->field('email');

                                if (IkiWiki::userinfo_setall($user_name, {
                                if (IkiWiki::userinfo_setall($user_name, {

-                                       'email' => $form->field('email'),
+                                       'email' => $email,

                                        'regdate' => time})) {
                                        setpassword($user_name, $form->field('password'));
                                        $form->field(name => "confirm_password", type => "hidden");
                                        'regdate' => time})) {
                                        setpassword($user_name, $form->field('password'));
                                        $form->field(name => "confirm_password", type => "hidden");