From: Simon McVittie <smcv@debian.org>
Date: Wed, 11 Jan 2017 13:19:13 +0000 (+0000)
Subject: passwordauth: avoid userinfo forgery via repeated email parameter
X-Git-Tag: debian/3.20141016.4~39
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/bffb71d6a7d28f6dd5f0be241f214e79eea7bb91?ds=inline

passwordauth: avoid userinfo forgery via repeated email parameter

OVE-20170111-0001
---

diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 4e0d36ed4..346515e23 100644
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -326,8 +326,9 @@ sub formbuilder (@) {
 				IkiWiki::cgi_postsignin($cgi, $session);
 			}
 			elsif ($form->submitted eq 'Create Account') {
+				my $email = $form->field('email');
 				if (IkiWiki::userinfo_setall($user_name, {
-				    	'email' => $form->field('email'),
+					'email' => $email,
 					'regdate' => time})) {
 					setpassword($user_name, $form->field('password'));
 					$form->field(name => "confirm_password", type => "hidden");