don't redirect to a GET with sensitive data, RT#26099

author: Ivan Kohler <ivan@freeside.biz> 2013-11-17 17:10:45 -0800
committer: Ivan Kohler <ivan@freeside.biz> 2013-11-17 17:10:45 -0800
commit: a56ef0afb5d1ba6f5b25116ca289d732371616d5 (patch)
tree: c8d7a0195309f89bf4b7e11c91e1547f8d8bb1ac /httemplate/elements/handle_uri_query
parent: d4cdc4db87f1b6a373398b7ab33e791bd0527dda (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/httemplate/elements/handle_uri_query b/httemplate/elements/handle_uri_query
index eb7ea1ae1..2dea96a6d 100644
--- a/httemplate/elements/handle_uri_query
+++ b/httemplate/elements/handle_uri_query
@@ -1,8 +1,20 @@
 <%init>
+
+my %opt = @_;
+
 if ( $cgi->param('redirect') ) {
   my $session = $cgi->param('redirect');
+
   my $pref = $FS::CurrentUser::CurrentUser->option("redirect$session");
   die "unknown redirect session $session\n" unless length($pref);
   $cgi = new CGI($pref);
+
+  foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) {
+    my $value = $cgi->param($param);
+    next unless length($value);
+    my $decrypted = FS::Record->decrypt( $value );
+    $cgi->param($param, $decrypted);
+  }
+
 }
 </%init>
author	Ivan Kohler <ivan@freeside.biz>	2013-11-17 17:10:45 -0800
committer	Ivan Kohler <ivan@freeside.biz>	2013-11-17 17:10:45 -0800
commit	a56ef0afb5d1ba6f5b25116ca289d732371616d5 (patch)
tree	c8d7a0195309f89bf4b7e11c91e1547f8d8bb1ac /httemplate/elements/handle_uri_query
parent	d4cdc4db87f1b6a373398b7ab33e791bd0527dda (diff)