Changeset 177


Ignore:
Timestamp:
12/01/11 15:37:37 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Security review (see #30)

  • convert resultmsg and warnmsg message-passing to use the session as a data store
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/dns.cgi

    r176 r177  
    292292  }
    293293
    294   $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
     294  if ($session->param('resultmsg')) {
     295    $page->param(resultmsg => $session->param('resultmsg'));
     296    $session->clear('resultmsg');
     297  }
    295298  if ($session->param('errmsg')) {
    296299    $page->param(errmsg => $session->param('errmsg'));
     
    439442    }
    440443
    441     $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
     444    if ($session->param('resultmsg')) {
     445      $page->param(resultmsg => $session->param('resultmsg'));
     446      $session->clear('resultmsg');
     447    }
    442448    if ($session->param('errmsg')) {
    443449      $page->param(errmsg => $session->param('errmsg'));
     
    744750  $page->param(delgrp => $permissions{admin} || $permissions{group_delete});
    745751
    746   $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
     752  if ($session->param('resultmsg')) {
     753    $page->param(resultmsg => $session->param('resultmsg'));
     754    $session->clear('resultmsg');
     755  }
    747756  if ($session->param('errmsg')) {
    748757    $page->param(errmsg => $session->param('errmsg'));
     
    10281037  $page->param(deluser => $permissions{admin} || $permissions{user_delete});
    10291038
    1030   $page->param(resultmsg => $webvar{resultmsg}) if $webvar{resultmsg};
    1031   $page->param(warnmsg => $webvar{warnmsg}) if $webvar{warnmsg};
     1039  if ($session->param('resultmsg')) {
     1040    $page->param(resultmsg => $session->param('resultmsg'));
     1041    $session->clear('resultmsg');
     1042  }
     1043  if ($session->param('warnmsg')) {
     1044    $page->param(warnmsg => $session->param('warnmsg'));
     1045    $session->clear('warnmsg');
     1046  }
    10321047  if ($session->param('errmsg')) {
    10331048    $page->param(errmsg => $session->param('errmsg'));
     
    15261541  # cross-site scripting fixup.  instead of passing error messages by URL/form
    15271542  # variable, put them in the session where the nasty user can't meddle.
    1528   if ($params{errmsg}) {
    1529     $session->param('errmsg', $params{errmsg});
    1530     delete $params{errmsg};
     1543  # these are done here since it's far simpler to pass them in from wherever
     1544  # than set them locally everywhere.
     1545  foreach my $sessme ('resultmsg','warnmsg','errmsg') {
     1546    if ($params{$sessme}) {
     1547      $session->param($sessme, $params{$sessme});
     1548      delete $params{$sessme};
     1549    }
    15311550  }
    15321551
Note: See TracChangeset for help on using the changeset viewer.