Use userControl and not XSS check to validate username (#666)
This commit is contained in:
parent
fc61240345
commit
71d9ad4f59
|
@ -69,7 +69,7 @@ use Digest::MD5;
|
|||
#inherits Apache::Session
|
||||
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
|
||||
|
||||
our $VERSION = '1.3.1';
|
||||
our $VERSION = '1.3.2';
|
||||
|
||||
use base qw(Lemonldap::NG::Common::CGI Exporter);
|
||||
our @ISA;
|
||||
|
@ -674,6 +674,7 @@ sub setDefaultValues {
|
|||
|
||||
# XSS
|
||||
$self->{checkXSS} = 1 unless defined $self->{checkXSS};
|
||||
$self->{userControl} ||= '^[\w\.\-@]+$';
|
||||
}
|
||||
|
||||
## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
|
||||
|
@ -1233,10 +1234,20 @@ sub get_url {
|
|||
# @return user parameter if good, nothing else.
|
||||
sub get_user {
|
||||
my $self = shift;
|
||||
return "" unless $self->{user};
|
||||
return $self->{user}
|
||||
unless ( $self->checkXSSAttack( 'user', $self->{user} ) );
|
||||
return "";
|
||||
|
||||
return undef unless $self->{user};
|
||||
unless ( $self->{user} =~ /$self->{userControl}/o ) {
|
||||
$self->lmLog(
|
||||
"Value "
|
||||
. $self->{user}
|
||||
. " does not match userControl regexp: "
|
||||
. $self->{userControl},
|
||||
'warn'
|
||||
);
|
||||
return undef;
|
||||
}
|
||||
|
||||
return $self->{user};
|
||||
}
|
||||
|
||||
## @method string get_module(string type)
|
||||
|
|
|
@ -8,7 +8,7 @@ package Lemonldap::NG::Portal::_WebForm;
|
|||
use Lemonldap::NG::Portal::Simple qw(:all);
|
||||
use strict;
|
||||
|
||||
our $VERSION = '1.3.1';
|
||||
our $VERSION = '1.3.2';
|
||||
|
||||
## @apmethod int authInit()
|
||||
# Does nothing.
|
||||
|
@ -96,10 +96,9 @@ sub extractFormInfo {
|
|||
|
||||
# Other parameters
|
||||
$self->{timezone} = $self->param('timezone');
|
||||
$self->{userControl} ||= '^[\w\.\-@]+$';
|
||||
|
||||
# Check user
|
||||
return PE_MALFORMEDUSER unless ( $self->{user} =~ /$self->{userControl}/o );
|
||||
return PE_MALFORMEDUSER unless $self->get_user;
|
||||
|
||||
PE_OK;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user