From b642cbef80d120df3c9f3146eb1e39dfbe395a2d Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 11 Jan 2017 13:19:13 +0000 Subject: [PATCH] passwordauth: avoid userinfo forgery via repeated email parameter OVE-20170111-0001 (cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91) --- IkiWiki/Plugin/passwordauth.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm index 0dde0386e..86f93d717 100644 --- a/IkiWiki/Plugin/passwordauth.pm +++ b/IkiWiki/Plugin/passwordauth.pm @@ -332,8 +332,9 @@ sub formbuilder (@) { IkiWiki::cgi_postsignin($cgi, $session); } elsif ($form->submitted eq 'Create Account') { + my $email = $form->field('email'); if (IkiWiki::userinfo_setall($user_name, { - 'email' => $form->field('email'), + 'email' => $email, 'regdate' => time})) { setpassword($user_name, $form->field('password')); $form->field(name => "confirm_password", type => "hidden");