Changeset 174 for trunk/dns.cgi


Ignore:
Timestamp:
11/30/11 18:11:03 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Security review (See #30)

  • convert error-message-passing via changepage to use the session to store the message so it can't be fiddled with in transit
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/dns.cgi

    r173 r174  
    289289
    290290  $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
    291   $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
     291  if ($session->param('errmsg')) {
     292    $page->param(errmsg => $session->param('errmsg'));
     293    $session->clear('errmsg');
     294  }
    292295
    293296  $page->param(curpage => $webvar{page});
    294 #  if ($webvar{del_failed}) {
    295 #    $page->param(del_failed => 1);
    296 #    $page->param(errmsg => $webvar{errmsg});
    297 #  }
    298297
    299298  listdomains();
     
    306305  fill_grouplist("grouplist");
    307306
    308   if ($webvar{add_failed}) {
     307  if ($session->param('add_failed')) {
     308    $session->clear('add_failed');
    309309    $page->param(add_failed => 1);
    310     $page->param(errmsg => $webvar{errmsg});
     310    $page->param(errmsg => $session->param('errmsg'));
     311    $session->clear('errmsg');
    311312    $page->param(domain => $webvar{domain});
    312313  }
     
    319320  # security check - does the user have permission to access this entity?
    320321  if (!check_scope(id => $webvar{group}, type => 'group')) {
    321     changepage(page => "newdomain", add_failed => 1, domain => $webvar{domain},
     322    $session->param('add_failed', 1);
     323##fixme:  domain a security risk for XSS?
     324    changepage(page => "newdomain", domain => $webvar{domain},
    322325        errmsg => "You do not have permission to add a domain to the requested group");
    323326  }
     
    330333  } else {
    331334    logaction(0, $session->param("username"), $webvar{group}, "Failed adding domain $webvar{domain} ($msg)");
    332     changepage(page => "newdomain", add_failed => 1, domain => $webvar{domain}, errmsg => $msg);
     335    $session->param('add_failed', 1);
     336##fixme:  domain a security risk for XSS?
     337    changepage(page => "newdomain", domain => $webvar{domain}, errmsg => $msg);
    333338  }
    334339
     
    431436
    432437    $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
    433     $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
     438    if ($session->param('errmsg')) {
     439      $page->param(errmsg => $session->param('errmsg'));
     440      $session->clear('errmsg');
     441    }
    434442
    435443  } # close "you can't edit default records" check
     
    733741
    734742  $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
    735   $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
     743  if ($session->param('errmsg')) {
     744    $page->param(errmsg => $session->param('errmsg'));
     745    $session->clear('errmsg');
     746  }
    736747  $page->param(curpage => $webvar{page});
    737748
     
    10151026  $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
    10161027  $page->param(warnmsg => $webvar{warnmsg}) if $webvar{warnmsg};
    1017   $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
     1028  if ($session->param('errmsg')) {
     1029    $page->param(errmsg => $session->param('errmsg'));
     1030    $session->clear('errmsg');
     1031  }
    10181032  $page->param(curpage => $webvar{page});
    10191033
     
    15051519sub changepage {
    15061520  my %params = @_;      # think this works the way I want...
     1521
     1522  # cross-site scripting fixup.  instead of passing error messages by URL/form
     1523  # variable, put them in the session where the nasty user can't meddle.
     1524  if ($params{errmsg}) {
     1525    $session->param('errmsg', $params{errmsg});
     1526    delete $params{errmsg};
     1527  }
    15071528
    15081529  # handle user check
Note: See TracChangeset for help on using the changeset viewer.