projects
/
freeside.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
7361361
)
don't redirect to a GET with sensitive data, RT#26099
author
Ivan Kohler
<ivan@freeside.biz>
Mon, 18 Nov 2013 01:10:24 +0000
(17:10 -0800)
committer
Ivan Kohler
<ivan@freeside.biz>
Mon, 18 Nov 2013 01:10:24 +0000
(17:10 -0800)
FS/FS/Record.pm
patch
|
blob
|
history
FS/bin/freeside-queued
patch
|
blob
|
history
httemplate/edit/cust_main.cgi
patch
|
blob
|
history
httemplate/edit/process/cust_main.cgi
patch
|
blob
|
history
httemplate/elements/create_uri_query
patch
|
blob
|
history
httemplate/elements/searchbar-cust_main.html
patch
|
blob
|
history
diff --git
a/FS/FS/Record.pm
b/FS/FS/Record.pm
index
2c506ff
..
4e0cf8e
100644
(file)
--- a/
FS/FS/Record.pm
+++ b/
FS/FS/Record.pm
@@
-1154,7
+1154,7
@@
sub insert {
my $h_sth;
my $h_sth;
- if ( defined
dbdef->table('h_'. $table)
) {
+ if ( defined
( dbdef->table('h_'. $table) ) && ! $no_history
) {
my $h_statement = $self->_h_statement('insert');
warn "[debug]$me $h_statement\n" if $DEBUG > 2;
$h_sth = dbh->prepare($h_statement) or do {
my $h_statement = $self->_h_statement('insert');
warn "[debug]$me $h_statement\n" if $DEBUG > 2;
$h_sth = dbh->prepare($h_statement) or do {
@@
-2924,7
+2924,7
@@
You should generally not have to worry about calling this, as the system handles
sub encrypt {
my ($self, $value) = @_;
sub encrypt {
my ($self, $value) = @_;
- my $encrypted;
+ my $encrypted
= $value
;
if ($conf->exists('encryption')) {
if ($self->is_encrypted($value)) {
if ($conf->exists('encryption')) {
if ($self->is_encrypted($value)) {
diff --git
a/FS/bin/freeside-queued
b/FS/bin/freeside-queued
index
2fd8025
..
23a3b3b
100644
(file)
--- a/
FS/bin/freeside-queued
+++ b/
FS/bin/freeside-queued
@@
-12,6
+12,7
@@
use FS::Record qw(qsearch);
use FS::queue;
use FS::queue_depend;
use FS::Log;
use FS::queue;
use FS::queue_depend;
use FS::Log;
+use FS::Cron::expire_user_pref qw( expire_user_pref );
# no autoloading for non-FS classes...
use Net::SSH 0.07;
# no autoloading for non-FS classes...
use Net::SSH 0.07;
@@
-66,6
+67,7
@@
while (1) {
if ( $kids >= $max_kids ) {
warn "WARNING: maximum $kids children reached\n" unless $warnkids++;
&reap_kids;
if ( $kids >= $max_kids ) {
warn "WARNING: maximum $kids children reached\n" unless $warnkids++;
&reap_kids;
+ expire_user_pref() unless $warnkids % 10;
sleep 1; #waiting for signals is cheap
next;
}
sleep 1; #waiting for signals is cheap
next;
}
@@
-131,6
+133,7
@@
while (1) {
undef $FS::UID::dbh;
next;
};
undef $FS::UID::dbh;
next;
};
+ expire_user_pref();
sleep $sleep_time;
next;
}
sleep $sleep_time;
next;
}
diff --git
a/httemplate/edit/cust_main.cgi
b/httemplate/edit/cust_main.cgi
index
970037b
..
9e1b4b0
100755
(executable)
--- a/
httemplate/edit/cust_main.cgi
+++ b/
httemplate/edit/cust_main.cgi
@@
-241,6
+241,8
@@
my %svc_dsl = ();
my $prospectnum = '';
my $locationnum = '';
my $prospectnum = '';
my $locationnum = '';
+$m->comp('/elements/handle_uri_query', 'secure'=>1);
+
if ( $cgi->param('error') ) {
$cust_main = new FS::cust_main ( {
if ( $cgi->param('error') ) {
$cust_main = new FS::cust_main ( {
diff --git
a/httemplate/edit/process/cust_main.cgi
b/httemplate/edit/process/cust_main.cgi
index
29805be
..
7241b0a
100755
(executable)
--- a/
httemplate/edit/process/cust_main.cgi
+++ b/
httemplate/edit/process/cust_main.cgi
@@
-1,7
+1,7
@@
% if ( $error ) {
% $cgi->param('error', $error);
% if ( $error ) {
% $cgi->param('error', $error);
-%
-<% $cgi->redirect(popurl(2). "cust_main.cgi?
". $cgi->query_string
) %>
+%
my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1);
+<% $cgi->redirect(popurl(2). "cust_main.cgi?
$query"
) %>
%
% } else {
%
%
% } else {
%
diff --git
a/httemplate/elements/create_uri_query
b/httemplate/elements/create_uri_query
index
32d8e2f
..
ce6249e
100644
(file)
--- a/
httemplate/elements/create_uri_query
+++ b/
httemplate/elements/create_uri_query
@@
-1,17
+1,34
@@
<% $query %>\
<%init>
<% $query %>\
<%init>
+my %opt = @_;
+
+if ( $opt{secure} ) {
+
+ foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) {
+ my $value = $cgi->param($param);
+ next unless length($value);
+ my $encrypted = FS::Record->encrypt( $value );
+ $cgi->param($param, $encrypted);
+ }
+
+}
+
my $query = $cgi->query_string;
my $query = $cgi->query_string;
-if ( length($query) > 1920 ) { #stupid IE 2083 URL limit
+if ( length($query) > 1920
|| $opt{secure}
) { #stupid IE 2083 URL limit
my $session = int(rand(4294967296)); #XXX
my $pref = new FS::access_user_pref({
'usernum' => $FS::CurrentUser::CurrentUser->usernum,
'prefname' => "redirect$session",
'prefvalue' => $query,
my $session = int(rand(4294967296)); #XXX
my $pref = new FS::access_user_pref({
'usernum' => $FS::CurrentUser::CurrentUser->usernum,
'prefname' => "redirect$session",
'prefvalue' => $query,
- 'expiration' => time + 3600, #1h? 1m?
+ 'expiration' => time + ( $opt{secure} ? 120 #2m?
+ : 3600 #1h?
+ ),
});
});
+ local($FS::Record::no_history) = 1;
+
my $pref_error = $pref->insert;
if ( $pref_error ) {
die "FATAL: couldn't even set redirect cookie: $pref_error".
my $pref_error = $pref->insert;
if ( $pref_error ) {
die "FATAL: couldn't even set redirect cookie: $pref_error".
diff --git
a/httemplate/elements/searchbar-cust_main.html
b/httemplate/elements/searchbar-cust_main.html
index
5d79aaa
..
d68ccc3
100644
(file)
--- a/
httemplate/elements/searchbar-cust_main.html
+++ b/
httemplate/elements/searchbar-cust_main.html
@@
-1,6
+1,6
@@
% if ( $curuser->access_right('List customers') ) {
% if ( $curuser->access_right('List customers') ) {
- <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="
GE
T" STYLE="margin:0">
+ <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="
POS
T" STYLE="margin:0">
<INPUT NAME="search_cust" TYPE="text" VALUE="<% $cust_label |n %>" STYLE="width:<%$width%>" onFocus="clearhint_search_cust(this);" onClick="clearhint_search_cust(this);" CLASS="fstext"><BR>
<A HREF="<%$fsurl%>search/report_cust_main.html" CLASS="fslink" STYLE="font-size: 11px"><% mt('Advanced') |h %></A>
<INPUT TYPE="submit" VALUE="<% mt('Search customers') |h %>" CLASS="fsblackbutton" onMouseOver="this.className='fsblackbuttonselected'; return true;" onMouseOut="this.className='fsblackbutton'; return true;" STYLE="font-size:11px">
<INPUT NAME="search_cust" TYPE="text" VALUE="<% $cust_label |n %>" STYLE="width:<%$width%>" onFocus="clearhint_search_cust(this);" onClick="clearhint_search_cust(this);" CLASS="fstext"><BR>
<A HREF="<%$fsurl%>search/report_cust_main.html" CLASS="fslink" STYLE="font-size: 11px"><% mt('Advanced') |h %></A>
<INPUT TYPE="submit" VALUE="<% mt('Search customers') |h %>" CLASS="fsblackbutton" onMouseOver="this.className='fsblackbuttonselected'; return true;" onMouseOut="this.className='fsblackbutton'; return true;" STYLE="font-size:11px">