Commit Graph

10 Commits (43033a2a6e80a67f29b78d4a6ecfb072ea6165e0)

Author SHA1 Message Date
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Joey Hess 9e4f0efe44 notifyemail: Fix bug that caused duplicate emails to be sent when site was rebuilt. 2013-05-18 16:26:48 -04:00
Joey Hess c885ec66e0 allow users to subscribe to comments w/o registering
Technically, when the user does this, a passwordless account is created
for them. The notify mails include a login url, and once logged in that
way, the user can enter a password to get a regular account (although
one with an annoying username).

This all requires the passwordauth plugin is enabled. A future enhancement
could be to split the passwordless user concept out into a separate plugin.
2012-04-02 13:45:39 -04:00
Joey Hess f9e96b0c32 passwordauth: Fix url in password recovery email to be absolute.
This got broken when cgiurl began often returning a relative url.
Added a cgiurl_abs for the things that need a guaranteed absolute cgiurl.
2012-04-02 12:24:14 -04:00
Joey Hess 5ed773c643 more fixes to subscription prefs 2012-03-28 20:56:22 -04:00
Joey Hess d366a7bbb5 don't force old subscriptions value when posting 2012-03-28 20:45:52 -04:00
Joey Hess 6c297c4097 fix adding first subscription to pagespec 2012-03-28 20:42:37 -04:00
Joey Hess dadc822295 remove misc section 2012-03-28 20:36:25 -04:00
Joey Hess accf79f94a polishing notifyemail 2012-03-28 19:39:08 -04:00
Joey Hess a22be4eef0 finish notifyemail plugin 2012-03-28 18:52:11 -04:00