Commit 71d9ad4f authored by Clément OUDOT's avatar Clément OUDOT

Use userControl and not XSS check to validate username (#666)

parent fc612403
......@@ -69,7 +69,7 @@ use Digest::MD5;
#inherits Apache::Session
#link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
our $VERSION = '1.3.1';
our $VERSION = '1.3.2';
use base qw(Lemonldap::NG::Common::CGI Exporter);
our @ISA;
......@@ -674,6 +674,7 @@ sub setDefaultValues {
# XSS
$self->{checkXSS} = 1 unless defined $self->{checkXSS};
$self->{userControl} ||= '^[\w\.\-@]+$';
}
## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
......@@ -1233,10 +1234,20 @@ sub get_url {
# @return user parameter if good, nothing else.
sub get_user {
my $self = shift;
return "" unless $self->{user};
return $self->{user}
unless ( $self->checkXSSAttack( 'user', $self->{user} ) );
return "";
return undef unless $self->{user};
unless ( $self->{user} =~ /$self->{userControl}/o ) {
$self->lmLog(
"Value "
. $self->{user}
. " does not match userControl regexp: "
. $self->{userControl},
'warn'
);
return undef;
}
return $self->{user};
}
## @method string get_module(string type)
......
......@@ -8,7 +8,7 @@ package Lemonldap::NG::Portal::_WebForm;
use Lemonldap::NG::Portal::Simple qw(:all);
use strict;
our $VERSION = '1.3.1';
our $VERSION = '1.3.2';
## @apmethod int authInit()
# Does nothing.
......@@ -96,10 +96,9 @@ sub extractFormInfo {
# Other parameters
$self->{timezone} = $self->param('timezone');
$self->{userControl} ||= '^[\w\.\-@]+$';
# Check user
return PE_MALFORMEDUSER unless ( $self->{user} =~ /$self->{userControl}/o );
return PE_MALFORMEDUSER unless $self->get_user;
PE_OK;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment