projects / freeside.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
don't redirect to a GET with sensitive data, RT#26099
[freeside.git] / httemplate / elements / create_uri_query
diff --git a/httemplate/elements/create_uri_query b/httemplate/elements/create_uri_query
index 32d8e2f..ce6249e 100644 (file)
--- a/httemplate/elements/create_uri_query
+++ b/httemplate/elements/create_uri_query
@@ -1,17 +1,34 @@
 <% $query %>\
 <%init>
 
+my %opt = @_;
+
+if ( $opt{secure} ) {
+
+  foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) {
+    my $value = $cgi->param($param);
+    next unless length($value);
+    my $encrypted = FS::Record->encrypt( $value );
+    $cgi->param($param, $encrypted);
+  }
+
+}
+
 my $query = $cgi->query_string;
 
-if ( length($query) > 1920 ) { #stupid IE 2083 URL limit
+if ( length($query) > 1920 || $opt{secure} ) { #stupid IE 2083 URL limit
 
   my $session = int(rand(4294967296)); #XXX
   my $pref = new FS::access_user_pref({
     'usernum'    => $FS::CurrentUser::CurrentUser->usernum,
     'prefname'   => "redirect$session",
     'prefvalue'  => $query,
-    'expiration' => time + 3600, #1h?  1m?
+    'expiration' => time + ( $opt{secure} ? 120  #2m?
+                                          : 3600 #1h?
+                           ),
   });
+  local($FS::Record::no_history) = 1;
+
   my $pref_error = $pref->insert;
   if ( $pref_error ) {
     die "FATAL: couldn't even set redirect cookie: $pref_error".
Freeside billing, trouble ticketing, network monitoring and provisioning