diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2013-11-17 17:10:06 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2013-11-17 17:10:06 -0800 |
| commit | d4cdc4db87f1b6a373398b7ab33e791bd0527dda (patch) | |
| tree | 899459b98e0b15bee54d0b67a41e6eed189e199f /httemplate | |
| parent | 0076a0d790d1385cd2a16472ec2c11528edbc9e3 (diff) | |
don't redirect to a GET with sensitive data, RT#26099
Diffstat (limited to 'httemplate')
| -rwxr-xr-x | httemplate/edit/cust_main.cgi | 1 | ||||
| -rwxr-xr-x | httemplate/edit/process/cust_main.cgi | 4 | ||||
| -rw-r--r-- | httemplate/elements/create_uri_query | 21 | ||||
| -rw-r--r-- | httemplate/elements/searchbar-cust_main.html | 2 |
4 files changed, 23 insertions, 5 deletions
diff --git a/httemplate/edit/cust_main.cgi b/httemplate/edit/cust_main.cgi index 8a3d6f918..480047cae 100755 --- a/httemplate/edit/cust_main.cgi +++ b/httemplate/edit/cust_main.cgi @@ -203,6 +203,7 @@ my $prospectnum = ''; my $locationnum = ''; my $same = ''; +$m->comp('/elements/handle_uri_query', 'secure'=>1); if ( $cgi->param('error') ) { diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi index ff8be1a71..4fb8f622d 100755 --- a/httemplate/edit/process/cust_main.cgi +++ b/httemplate/edit/process/cust_main.cgi @@ -1,7 +1,7 @@ % if ( $error ) { % $cgi->param('error', $error); -% -<% $cgi->redirect(popurl(2). "cust_main.cgi?". $cgi->query_string ) %> +% my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1); +<% $cgi->redirect(popurl(2). "cust_main.cgi?$query" ) %> % % } else { % diff --git a/httemplate/elements/create_uri_query b/httemplate/elements/create_uri_query index 32d8e2f87..ce6249e0e 100644 --- a/httemplate/elements/create_uri_query +++ b/httemplate/elements/create_uri_query @@ -1,17 +1,34 @@ <% $query %>\ <%init> +my %opt = @_; + +if ( $opt{secure} ) { + + foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) { + my $value = $cgi->param($param); + next unless length($value); + my $encrypted = FS::Record->encrypt( $value ); + $cgi->param($param, $encrypted); + } + +} + my $query = $cgi->query_string; -if ( length($query) > 1920 ) { #stupid IE 2083 URL limit +if ( length($query) > 1920 || $opt{secure} ) { #stupid IE 2083 URL limit my $session = int(rand(4294967296)); #XXX my $pref = new FS::access_user_pref({ 'usernum' => $FS::CurrentUser::CurrentUser->usernum, 'prefname' => "redirect$session", 'prefvalue' => $query, - 'expiration' => time + 3600, #1h? 1m? + 'expiration' => time + ( $opt{secure} ? 120 #2m? + : 3600 #1h? + ), }); + local($FS::Record::no_history) = 1; + my $pref_error = $pref->insert; if ( $pref_error ) { die "FATAL: couldn't even set redirect cookie: $pref_error". diff --git a/httemplate/elements/searchbar-cust_main.html b/httemplate/elements/searchbar-cust_main.html index 9a98417c8..5bfef484a 100644 --- a/httemplate/elements/searchbar-cust_main.html +++ b/httemplate/elements/searchbar-cust_main.html @@ -1,6 +1,6 @@ % if ( $curuser->access_right('List customers') ) { - <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="GET" STYLE="margin:0"> + <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="POST" STYLE="margin:0"> <INPUT NAME="search_cust" TYPE="text" VALUE="<% $cust_label |n %>" STYLE="width:<%$width%>" onFocus="clearhint_search_cust(this);" onClick="clearhint_search_cust(this);" CLASS="fstext"><BR> <A HREF="<%$fsurl%>search/report_cust_main.html" CLASS="fslink" STYLE="font-size: 11px"><% mt('Advanced') |h %></A> <INPUT TYPE="submit" VALUE="<% mt('Search customers') |h %>" CLASS="fsblackbutton" onMouseOver="this.className='fsblackbuttonselected'; return true;" onMouseOut="this.className='fsblackbutton'; return true;" STYLE="font-size:11px"> |