RT#29354: Password Security in Email [customer fields, images, js files]

[freeside.git] / fs_selfservice / FS-SelfService / cgi / selfservice.cgi

diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index 4c666cb..aff9bca 100755 (executable)
--- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@ -23,6 +23,7 @@ use FS::SelfService qw(
   mason_comp port_graph
   start_thirdparty finish_thirdparty
   reset_passwd check_reset_passwd process_reset_passwd
+  validate_passwd
   billing_history
 );
 
@@ -85,6 +86,7 @@ my @actions = ( qw(
   process_suspend_pkg
   switch_cust
   history
+  validate_password
 ));
 
 my @nologin_actions = (qw(
@@ -93,6 +95,7 @@ my @nologin_actions = (qw(
   process_forgot_password
   do_process_forgot_password
   process_forgot_password_session
+  validate_password_nologin
 ));
 push @actions, @nologin_actions;
 my %nologin_actions = map { $_=>1 } @nologin_actions;
@@ -109,7 +112,6 @@ if ( $cgi->param('action') =~ /^process_forgot_password_session_(\w+)$/ ) {
     warn "WARNING: unrecognized action '$1'\n";
   }
 }
-
 unless ( $nologin_actions{$action} ) {
 
   my %cookies = CGI::Cookie->fetch;
@@ -583,10 +585,15 @@ sub make_payment {
 
   my $payment_info = payment_info( 'session_id' => $session_id );
 
+  my $amount = 
+    ($payment_info->{'balance'} && ($payment_info->{'balance'} > 0))
+    ? $payment_info->{'balance'}
+    : '';
+
   my $tr_amount_fee = mason_comp(
     'session_id' => $session_id,
     'comp'       => '/elements/tr-amount_fee.html',
-    'args'       => [ 'amount' => $payment_info->{'balance'},
+    'args'       => [ 'amount' => $amount,
                     ],
   );
 
@@ -1118,6 +1125,22 @@ sub do_process_forgot_password {
   );
 }
 
+sub validate_password {
+  validate_passwd(
+    'session_id' => $session_id,
+    map { $_ => scalar($cgi->param($_)) }
+      qw( fieldid svcnum check_password )
+  )
+}
+
+sub validate_password_nologin {
+  $action = 'validate_password'; #use same landing page
+  validate_passwd(
+    map { $_ => scalar($cgi->param($_)) }
+      qw( fieldid check_password )
+  )
+}
+
 #--
 
 sub do_template {