summaryrefslogtreecommitdiff
path: root/httemplate/elements/create_uri_query
diff options
context:
space:
mode:
authorIvan Kohler <ivan@freeside.biz>2013-11-17 17:10:06 -0800
committerIvan Kohler <ivan@freeside.biz>2013-11-17 17:10:06 -0800
commitd4cdc4db87f1b6a373398b7ab33e791bd0527dda (patch)
tree899459b98e0b15bee54d0b67a41e6eed189e199f /httemplate/elements/create_uri_query
parent0076a0d790d1385cd2a16472ec2c11528edbc9e3 (diff)
don't redirect to a GET with sensitive data, RT#26099
Diffstat (limited to 'httemplate/elements/create_uri_query')
-rw-r--r--httemplate/elements/create_uri_query21
1 files changed, 19 insertions, 2 deletions
diff --git a/httemplate/elements/create_uri_query b/httemplate/elements/create_uri_query
index 32d8e2f87..ce6249e0e 100644
--- a/httemplate/elements/create_uri_query
+++ b/httemplate/elements/create_uri_query
@@ -1,17 +1,34 @@
<% $query %>\
<%init>
+my %opt = @_;
+
+if ( $opt{secure} ) {
+
+ foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) {
+ my $value = $cgi->param($param);
+ next unless length($value);
+ my $encrypted = FS::Record->encrypt( $value );
+ $cgi->param($param, $encrypted);
+ }
+
+}
+
my $query = $cgi->query_string;
-if ( length($query) > 1920 ) { #stupid IE 2083 URL limit
+if ( length($query) > 1920 || $opt{secure} ) { #stupid IE 2083 URL limit
my $session = int(rand(4294967296)); #XXX
my $pref = new FS::access_user_pref({
'usernum' => $FS::CurrentUser::CurrentUser->usernum,
'prefname' => "redirect$session",
'prefvalue' => $query,
- 'expiration' => time + 3600, #1h? 1m?
+ 'expiration' => time + ( $opt{secure} ? 120 #2m?
+ : 3600 #1h?
+ ),
});
+ local($FS::Record::no_history) = 1;
+
my $pref_error = $pref->insert;
if ( $pref_error ) {
die "FATAL: couldn't even set redirect cookie: $pref_error".
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-14 04:03:43 +0000