Use userControl and not XSS check to validate username (#666)
This commit is contained in:
parent
fc61240345
commit
71d9ad4f59
|
@ -69,7 +69,7 @@ use Digest::MD5;
|
||||||
#inherits Apache::Session
|
#inherits Apache::Session
|
||||||
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
|
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
|
||||||
|
|
||||||
our $VERSION = '1.3.1';
|
our $VERSION = '1.3.2';
|
||||||
|
|
||||||
use base qw(Lemonldap::NG::Common::CGI Exporter);
|
use base qw(Lemonldap::NG::Common::CGI Exporter);
|
||||||
our @ISA;
|
our @ISA;
|
||||||
|
@ -674,6 +674,7 @@ sub setDefaultValues {
|
||||||
|
|
||||||
# XSS
|
# XSS
|
||||||
$self->{checkXSS} = 1 unless defined $self->{checkXSS};
|
$self->{checkXSS} = 1 unless defined $self->{checkXSS};
|
||||||
|
$self->{userControl} ||= '^[\w\.\-@]+$';
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
|
## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
|
||||||
|
@ -1233,10 +1234,20 @@ sub get_url {
|
||||||
# @return user parameter if good, nothing else.
|
# @return user parameter if good, nothing else.
|
||||||
sub get_user {
|
sub get_user {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
return "" unless $self->{user};
|
|
||||||
return $self->{user}
|
return undef unless $self->{user};
|
||||||
unless ( $self->checkXSSAttack( 'user', $self->{user} ) );
|
unless ( $self->{user} =~ /$self->{userControl}/o ) {
|
||||||
return "";
|
$self->lmLog(
|
||||||
|
"Value "
|
||||||
|
. $self->{user}
|
||||||
|
. " does not match userControl regexp: "
|
||||||
|
. $self->{userControl},
|
||||||
|
'warn'
|
||||||
|
);
|
||||||
|
return undef;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $self->{user};
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method string get_module(string type)
|
## @method string get_module(string type)
|
||||||
|
|
|
@ -8,7 +8,7 @@ package Lemonldap::NG::Portal::_WebForm;
|
||||||
use Lemonldap::NG::Portal::Simple qw(:all);
|
use Lemonldap::NG::Portal::Simple qw(:all);
|
||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
our $VERSION = '1.3.1';
|
our $VERSION = '1.3.2';
|
||||||
|
|
||||||
## @apmethod int authInit()
|
## @apmethod int authInit()
|
||||||
# Does nothing.
|
# Does nothing.
|
||||||
|
@ -96,10 +96,9 @@ sub extractFormInfo {
|
||||||
|
|
||||||
# Other parameters
|
# Other parameters
|
||||||
$self->{timezone} = $self->param('timezone');
|
$self->{timezone} = $self->param('timezone');
|
||||||
$self->{userControl} ||= '^[\w\.\-@]+$';
|
|
||||||
|
|
||||||
# Check user
|
# Check user
|
||||||
return PE_MALFORMEDUSER unless ( $self->{user} =~ /$self->{userControl}/o );
|
return PE_MALFORMEDUSER unless $self->get_user;
|
||||||
|
|
||||||
PE_OK;
|
PE_OK;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user