From: Simon McVittie Date: Wed, 11 Jan 2017 13:19:13 +0000 (+0000) Subject: passwordauth: avoid userinfo forgery via repeated email parameter X-Git-Tag: debian/3.20120629.2+deb7u2~36 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/fe001bd7bf8d16ae998aa66513e3d2276ab9749b?ds=inline passwordauth: avoid userinfo forgery via repeated email parameter OVE-20170111-0001 --- diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm index 4e0d36ed4..346515e23 100644 --- a/IkiWiki/Plugin/passwordauth.pm +++ b/IkiWiki/Plugin/passwordauth.pm @@ -326,8 +326,9 @@ sub formbuilder (@) { IkiWiki::cgi_postsignin($cgi, $session); } elsif ($form->submitted eq 'Create Account') { + my $email = $form->field('email'); if (IkiWiki::userinfo_setall($user_name, { - 'email' => $form->field('email'), + 'email' => $email, 'regdate' => time})) { setpassword($user_name, $form->field('password')); $form->field(name => "confirm_password", type => "hidden");