passwordauth: avoid userinfo forgery via repeated email parameter

author Simon McVittie <smcv@debian.org>

Wed, 11 Jan 2017 13:19:13 +0000 (13:19 +0000)

committer Simon McVittie <smcv@debian.org>

Wed, 11 Jan 2017 19:30:08 +0000 (19:30 +0000)
author Simon McVittie <smcv@debian.org>
Wed, 11 Jan 2017 13:19:13 +0000 (13:19 +0000)
committer Simon McVittie <smcv@debian.org>
Wed, 11 Jan 2017 19:30:08 +0000 (19:30 +0000)
diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm

index 4e0d36ed42dc8c3610d8b0f63278bc51f1ae78b4..346515e23094e180f73b50cfd9d90c67f06c7a32 100644 (file)
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -326,8 +326,9 @@ sub formbuilder (@) {
                                 IkiWiki::cgi_postsignin($cgi, $session);
                         }
                         elsif ($form->submitted eq 'Create Account') {
+                               my $email = $form->field('email');
                                 if (IkiWiki::userinfo_setall($user_name, {
-                                       'email' => $form->field('email'),
+                                       'email' => $email,
                                         'regdate' => time})) {
                                         setpassword($user_name, $form->field('password'));
                                         $form->field(name => "confirm_password", type => "hidden");
author	Simon McVittie <smcv@debian.org>
	Wed, 11 Jan 2017 13:19:13 +0000 (13:19 +0000)
committer	Simon McVittie <smcv@debian.org>
	Wed, 11 Jan 2017 19:30:08 +0000 (19:30 +0000)