diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2013-11-17 17:10:06 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2013-11-17 17:10:06 -0800 |
| commit | d4cdc4db87f1b6a373398b7ab33e791bd0527dda (patch) | |
| tree | 899459b98e0b15bee54d0b67a41e6eed189e199f | |
| parent | 0076a0d790d1385cd2a16472ec2c11528edbc9e3 (diff) | |
don't redirect to a GET with sensitive data, RT#26099
| -rw-r--r-- | FS/FS/Record.pm | 4 | ||||
| -rw-r--r-- | FS/bin/freeside-queued | 3 | ||||
| -rwxr-xr-x | httemplate/edit/cust_main.cgi | 1 | ||||
| -rwxr-xr-x | httemplate/edit/process/cust_main.cgi | 4 | ||||
| -rw-r--r-- | httemplate/elements/create_uri_query | 21 | ||||
| -rw-r--r-- | httemplate/elements/searchbar-cust_main.html | 2 |
6 files changed, 28 insertions, 7 deletions
diff --git a/FS/FS/Record.pm b/FS/FS/Record.pm index 05deaef1e..493734729 100644 --- a/FS/FS/Record.pm +++ b/FS/FS/Record.pm @@ -1251,7 +1251,7 @@ sub insert { } my $h_sth; - if ( defined dbdef->table('h_'. $table) ) { + if ( defined( dbdef->table('h_'. $table) ) && ! $no_history ) { my $h_statement = $self->_h_statement('insert'); warn "[debug]$me $h_statement\n" if $DEBUG > 2; $h_sth = dbh->prepare($h_statement) or do { @@ -3004,7 +3004,7 @@ You should generally not have to worry about calling this, as the system handles sub encrypt { my ($self, $value) = @_; - my $encrypted; + my $encrypted = $value; if ($conf->exists('encryption')) { if ($self->is_encrypted($value)) { diff --git a/FS/bin/freeside-queued b/FS/bin/freeside-queued index 5eac06b24..f1a87cac9 100644 --- a/FS/bin/freeside-queued +++ b/FS/bin/freeside-queued @@ -12,6 +12,7 @@ use FS::Record qw(qsearch); use FS::queue; use FS::queue_depend; use FS::Log; +use FS::Cron::expire_user_pref qw( expire_user_pref ); # no autoloading for non-FS classes... use Net::SSH 0.07; @@ -66,6 +67,7 @@ while (1) { if ( $kids >= $max_kids ) { warn "WARNING: maximum $kids children reached\n" unless $warnkids++; &reap_kids; + expire_user_pref() unless $warnkids % 10; sleep 1; #waiting for signals is cheap next; } @@ -131,6 +133,7 @@ while (1) { undef $FS::UID::dbh; next; }; + expire_user_pref(); sleep $sleep_time; next; } diff --git a/httemplate/edit/cust_main.cgi b/httemplate/edit/cust_main.cgi index 8a3d6f918..480047cae 100755 --- a/httemplate/edit/cust_main.cgi +++ b/httemplate/edit/cust_main.cgi @@ -203,6 +203,7 @@ my $prospectnum = ''; my $locationnum = ''; my $same = ''; +$m->comp('/elements/handle_uri_query', 'secure'=>1); if ( $cgi->param('error') ) { diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi index ff8be1a71..4fb8f622d 100755 --- a/httemplate/edit/process/cust_main.cgi +++ b/httemplate/edit/process/cust_main.cgi @@ -1,7 +1,7 @@ % if ( $error ) { % $cgi->param('error', $error); -% -<% $cgi->redirect(popurl(2). "cust_main.cgi?". $cgi->query_string ) %> +% my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1); +<% $cgi->redirect(popurl(2). "cust_main.cgi?$query" ) %> % % } else { % diff --git a/httemplate/elements/create_uri_query b/httemplate/elements/create_uri_query index 32d8e2f87..ce6249e0e 100644 --- a/httemplate/elements/create_uri_query +++ b/httemplate/elements/create_uri_query @@ -1,17 +1,34 @@ <% $query %>\ <%init> +my %opt = @_; + +if ( $opt{secure} ) { + + foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) { + my $value = $cgi->param($param); + next unless length($value); + my $encrypted = FS::Record->encrypt( $value ); + $cgi->param($param, $encrypted); + } + +} + my $query = $cgi->query_string; -if ( length($query) > 1920 ) { #stupid IE 2083 URL limit +if ( length($query) > 1920 || $opt{secure} ) { #stupid IE 2083 URL limit my $session = int(rand(4294967296)); #XXX my $pref = new FS::access_user_pref({ 'usernum' => $FS::CurrentUser::CurrentUser->usernum, 'prefname' => "redirect$session", 'prefvalue' => $query, - 'expiration' => time + 3600, #1h? 1m? + 'expiration' => time + ( $opt{secure} ? 120 #2m? + : 3600 #1h? + ), }); + local($FS::Record::no_history) = 1; + my $pref_error = $pref->insert; if ( $pref_error ) { die "FATAL: couldn't even set redirect cookie: $pref_error". diff --git a/httemplate/elements/searchbar-cust_main.html b/httemplate/elements/searchbar-cust_main.html index 9a98417c8..5bfef484a 100644 --- a/httemplate/elements/searchbar-cust_main.html +++ b/httemplate/elements/searchbar-cust_main.html @@ -1,6 +1,6 @@ % if ( $curuser->access_right('List customers') ) { - <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="GET" STYLE="margin:0"> + <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="POST" STYLE="margin:0"> <INPUT NAME="search_cust" TYPE="text" VALUE="<% $cust_label |n %>" STYLE="width:<%$width%>" onFocus="clearhint_search_cust(this);" onClick="clearhint_search_cust(this);" CLASS="fstext"><BR> <A HREF="<%$fsurl%>search/report_cust_main.html" CLASS="fslink" STYLE="font-size: 11px"><% mt('Advanced') |h %></A> <INPUT TYPE="submit" VALUE="<% mt('Search customers') |h %>" CLASS="fsblackbutton" onMouseOver="this.className='fsblackbuttonselected'; return true;" onMouseOut="this.className='fsblackbutton'; return true;" STYLE="font-size:11px"> |