From fe001bd7bf8d16ae998aa66513e3d2276ab9749b Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 11 Jan 2017 13:19:13 +0000 Subject: [PATCH] passwordauth: avoid userinfo forgery via repeated email parameter OVE-20170111-0001 --- IkiWiki/Plugin/passwordauth.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm index 4e0d36ed4..346515e23 100644 --- a/IkiWiki/Plugin/passwordauth.pm +++ b/IkiWiki/Plugin/passwordauth.pm @@ -326,8 +326,9 @@ sub formbuilder (@) { IkiWiki::cgi_postsignin($cgi, $session); } elsif ($form->submitted eq 'Create Account') { + my $email = $form->field('email'); if (IkiWiki::userinfo_setall($user_name, { - 'email' => $form->field('email'), + 'email' => $email, 'regdate' => time})) { setpassword($user_name, $form->field('password')); $form->field(name => "confirm_password", type => "hidden"); -- 2.39.5