From f82a7319beba9b5e535d23cd9aa97724ebe40f12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Mon, 11 May 2015 13:50:55 +0000
Subject: [PATCH] Display correct skin in mail reset page (#818)

---
 lemonldap-ng-portal/example/skins/bootstrap/mail.tpl     | 5 ++++-
 .../example/skins/bootstrap/standardform.tpl             | 2 +-
 lemonldap-ng-portal/example/skins/impact/mail.tpl        | 5 ++++-
 .../example/skins/impact/standardform.tpl                | 2 +-
 lemonldap-ng-portal/example/skins/pastel/mail.tpl        | 5 ++++-
 .../example/skins/pastel/standardform.tpl                | 2 +-
 lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm | 3 ++-
 lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm    | 9 ++++++++-
 8 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/lemonldap-ng-portal/example/skins/bootstrap/mail.tpl b/lemonldap-ng-portal/example/skins/bootstrap/mail.tpl
index 7ad122f74..04fc779cc 100644
--- a/lemonldap-ng-portal/example/skins/bootstrap/mail.tpl
+++ b/lemonldap-ng-portal/example/skins/bootstrap/mail.tpl
@@ -13,6 +13,7 @@
     <form action="#" method="post" class="login" role="form">
     <div class="form">
 
+    <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
     <TMPL_IF NAME="CHOICE_VALUE">
       <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
     </TMPL_IF>
@@ -49,6 +50,7 @@
     <form action="#" method="post" class="login" role="form">
     <div class="form">
 
+      <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
       <TMPL_IF NAME="CHOICE_VALUE">
         <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
       </TMPL_IF>
@@ -87,6 +89,7 @@
       <form action="#" method="post" class="password" role="form">
       <div class="form">
 
+        <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
         <TMPL_IF NAME="CHOICE_VALUE">
           <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
         </TMPL_IF>
@@ -152,7 +155,7 @@
   </div>
 
   <div class="buttons">
-    <a href="<TMPL_VAR NAME="PORTAL_URL">" class="btn btn-primary" role="button">
+    <a href="<TMPL_VAR NAME="PORTAL_URL">?skin=<TMPL_VAR NAME="SKIN">" class="btn btn-primary" role="button">
       <span class="glyphicon glyphicon-home"></span>
       <lang en="Go back to portal" fr="Retourner au portail" />
     </a>
diff --git a/lemonldap-ng-portal/example/skins/bootstrap/standardform.tpl b/lemonldap-ng-portal/example/skins/bootstrap/standardform.tpl
index 8a788e704..5b4498ce5 100644
--- a/lemonldap-ng-portal/example/skins/bootstrap/standardform.tpl
+++ b/lemonldap-ng-portal/example/skins/bootstrap/standardform.tpl
@@ -30,7 +30,7 @@
 
 <div class="actions">
   <TMPL_IF NAME="DISPLAY_RESETPASSWORD">
-  <a class="btn btn-info" href="<TMPL_VAR NAME="MAIL_URL"><TMPL_IF NAME="key">?<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF>">
+  <a class="btn btn-info" href="<TMPL_VAR NAME="MAIL_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF>">
     <span class="glyphicon glyphicon-info-sign"></span>
     <lang en="Reset my password" fr="R&eacute;initialiser mon mot de passe"/>
   </a>
diff --git a/lemonldap-ng-portal/example/skins/impact/mail.tpl b/lemonldap-ng-portal/example/skins/impact/mail.tpl
index 212c7955b..16ea075eb 100644
--- a/lemonldap-ng-portal/example/skins/impact/mail.tpl
+++ b/lemonldap-ng-portal/example/skins/impact/mail.tpl
@@ -13,6 +13,7 @@
 
       <TMPL_IF NAME="DISPLAY_FORM">
       <form action="#" method="post" class="login">
+      <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
       <TMPL_IF NAME="CHOICE_VALUE">
       <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
       </TMPL_IF>
@@ -47,6 +48,7 @@
 
       <TMPL_IF NAME="DISPLAY_RESEND_FORM">
       <form action="#" method="post" class="login">
+      <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
       <TMPL_IF NAME="CHOICE_VALUE">
       <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
       </TMPL_IF>
@@ -80,6 +82,7 @@
 
       <TMPL_IF NAME="DISPLAY_PASSWORD_FORM">
       <form action="#" method="post" class="password">
+      <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
       <TMPL_IF NAME="CHOICE_VALUE">
       <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
       </TMPL_IF>
@@ -125,7 +128,7 @@
       </TMPL_IF>
 
       <div class="panel-buttons">
-        <button type="button" class="positive" tabindex="1" onclick="location.href='<TMPL_VAR NAME="PORTAL_URL">';return false;">
+        <button type="button" class="positive" tabindex="1" onclick="location.href='<TMPL_VAR NAME="PORTAL_URL">?skin=<TMPL_VAR NAME="SKIN">';return false;">
           <lang en="Go to portal" fr="Aller au portail" />
         </button>
       </div>
diff --git a/lemonldap-ng-portal/example/skins/impact/standardform.tpl b/lemonldap-ng-portal/example/skins/impact/standardform.tpl
index 8916f8382..6181889c3 100644
--- a/lemonldap-ng-portal/example/skins/impact/standardform.tpl
+++ b/lemonldap-ng-portal/example/skins/impact/standardform.tpl
@@ -39,7 +39,7 @@
 
       <TMPL_IF NAME="DISPLAY_RESETPASSWORD">
       <p>
-        <img src="<TMPL_VAR NAME="SKIN_PATH">/<TMPL_VAR NAME="SKIN">/images/arrow.png" /><a href="<TMPL_VAR NAME="MAIL_URL"><TMPL_IF NAME="key">?<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF>"><lang en="Reset my password" fr="R&eacute;initialiser mon mot de passe"/></a>
+        <img src="<TMPL_VAR NAME="SKIN_PATH">/<TMPL_VAR NAME="SKIN">/images/arrow.png" /><a href="<TMPL_VAR NAME="MAIL_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF>"><lang en="Reset my password" fr="R&eacute;initialiser mon mot de passe"/></a>
       </p>
       </TMPL_IF>
 
diff --git a/lemonldap-ng-portal/example/skins/pastel/mail.tpl b/lemonldap-ng-portal/example/skins/pastel/mail.tpl
index ef49a7ab2..35e5b79e5 100644
--- a/lemonldap-ng-portal/example/skins/pastel/mail.tpl
+++ b/lemonldap-ng-portal/example/skins/pastel/mail.tpl
@@ -12,6 +12,7 @@
 
     <form action="#" method="post" class="login">
 
+      <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
       <TMPL_IF NAME="CHOICE_VALUE">
         <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
       </TMPL_IF>
@@ -50,6 +51,7 @@
 
     <form action="#" method="post" class="login">
 
+      <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
       <TMPL_IF NAME="CHOICE_VALUE">
         <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
       </TMPL_IF>
@@ -85,6 +87,7 @@
   <TMPL_IF NAME="DISPLAY_PASSWORD_FORM">
     <div id="password">
       <form action="#" method="post" class="password">
+        <input type="hidden" name="skin" value="<TMPL_VAR NAME="SKIN">" />
         <TMPL_IF NAME="CHOICE_VALUE">
           <input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
         </TMPL_IF>
@@ -139,7 +142,7 @@
   </TMPL_IF>
 
   <div class="link">
-    <a href="<TMPL_VAR NAME="PORTAL_URL">">
+    <a href="<TMPL_VAR NAME="PORTAL_URL">?skin=<TMPL_VAR NAME="SKIN">">
       <lang en="Go back to portal" fr="Retourner au portail" />
     </a>
   </div>
diff --git a/lemonldap-ng-portal/example/skins/pastel/standardform.tpl b/lemonldap-ng-portal/example/skins/pastel/standardform.tpl
index 1682c0555..634d508bc 100644
--- a/lemonldap-ng-portal/example/skins/pastel/standardform.tpl
+++ b/lemonldap-ng-portal/example/skins/pastel/standardform.tpl
@@ -43,7 +43,7 @@
   <TMPL_IF NAME="DISPLAY_RESETPASSWORD">
     <tr><td colspan="2">
       <div class="buttons">
-        <a class="positive" tabindex="5" href="<TMPL_VAR NAME="MAIL_URL"><TMPL_IF NAME="key">?<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF>">
+        <a class="positive" tabindex="5" href="<TMPL_VAR NAME="MAIL_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF>">
           <img src="<TMPL_VAR NAME="SKIN_PATH">/common/email.png" alt="" />
           <lang en="Reset my password" fr="R&eacute;initialiser mon mot de passe"/>
         </a>
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm
index 8ce247bd7..cf3823b79 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/MailReset.pm
@@ -8,7 +8,7 @@ package Lemonldap::NG::Portal::MailReset;
 use strict;
 use warnings;
 
-our $VERSION = '1.4.2';
+our $VERSION = '1.4.5';
 
 use Lemonldap::NG::Portal::Simple qw(:all);
 use base qw(Lemonldap::NG::Portal::SharedConf Exporter);
@@ -304,6 +304,7 @@ sub sendConfirmationMail {
 
     # Build confirmation url
     my $url = $self->{mailUrl} . "?mail_token=" . $self->{id};
+    $url .= '&skin=' . $self->getSkin();
     $url .= '&' . $self->{authChoiceParam} . '=' . $self->{_authChoice}
       if ( $self->{_authChoice} );
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
index 78d752c28..f3b87b651 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@@ -71,7 +71,7 @@ use Digest::MD5;
 #inherits Apache::Session
 #link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
 
-our $VERSION = '1.4.4';
+our $VERSION = '1.4.5';
 
 use base qw(Lemonldap::NG::Common::CGI Exporter);
 our @ISA;
@@ -1417,6 +1417,13 @@ sub getSkin {
         }
     }
 
+    # Check skin GET/POST parameter
+    my $skinParam = $self->param('skin');
+    if ( defined $skinParam && !$self->checkXSSAttack( 'skin', $skinParam ) ) {
+        $skin = $skinParam;
+        $self->lmLog( "Skin $skin selected from GET/POST parameter", 'debug' );
+    }
+
     return $skin;
 }