[freeside-commits] branch master updated. d4cdc4db87f1b6a373398b7ab33e791bd0527dda
Ivan
ivan at 420.am
Sun Nov 17 17:10:10 PST 2013
The branch, master has been updated
via d4cdc4db87f1b6a373398b7ab33e791bd0527dda (commit)
from 0076a0d790d1385cd2a16472ec2c11528edbc9e3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d4cdc4db87f1b6a373398b7ab33e791bd0527dda
Author: Ivan Kohler <ivan at freeside.biz>
Date: Sun Nov 17 17:10:06 2013 -0800
don't redirect to a GET with sensitive data, RT#26099
diff --git a/FS/FS/Record.pm b/FS/FS/Record.pm
index 05deaef..4937347 100644
--- a/FS/FS/Record.pm
+++ b/FS/FS/Record.pm
@@ -1251,7 +1251,7 @@ sub insert {
}
my $h_sth;
- if ( defined dbdef->table('h_'. $table) ) {
+ if ( defined( dbdef->table('h_'. $table) ) && ! $no_history ) {
my $h_statement = $self->_h_statement('insert');
warn "[debug]$me $h_statement\n" if $DEBUG > 2;
$h_sth = dbh->prepare($h_statement) or do {
@@ -3004,7 +3004,7 @@ You should generally not have to worry about calling this, as the system handles
sub encrypt {
my ($self, $value) = @_;
- my $encrypted;
+ my $encrypted = $value;
if ($conf->exists('encryption')) {
if ($self->is_encrypted($value)) {
diff --git a/FS/bin/freeside-queued b/FS/bin/freeside-queued
index 5eac06b..f1a87ca 100644
--- a/FS/bin/freeside-queued
+++ b/FS/bin/freeside-queued
@@ -12,6 +12,7 @@ use FS::Record qw(qsearch);
use FS::queue;
use FS::queue_depend;
use FS::Log;
+use FS::Cron::expire_user_pref qw( expire_user_pref );
# no autoloading for non-FS classes...
use Net::SSH 0.07;
@@ -66,6 +67,7 @@ while (1) {
if ( $kids >= $max_kids ) {
warn "WARNING: maximum $kids children reached\n" unless $warnkids++;
&reap_kids;
+ expire_user_pref() unless $warnkids % 10;
sleep 1; #waiting for signals is cheap
next;
}
@@ -131,6 +133,7 @@ while (1) {
undef $FS::UID::dbh;
next;
};
+ expire_user_pref();
sleep $sleep_time;
next;
}
diff --git a/httemplate/edit/cust_main.cgi b/httemplate/edit/cust_main.cgi
index 8a3d6f9..480047c 100755
--- a/httemplate/edit/cust_main.cgi
+++ b/httemplate/edit/cust_main.cgi
@@ -203,6 +203,7 @@ my $prospectnum = '';
my $locationnum = '';
my $same = '';
+$m->comp('/elements/handle_uri_query', 'secure'=>1);
if ( $cgi->param('error') ) {
diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi
index ff8be1a..4fb8f62 100755
--- a/httemplate/edit/process/cust_main.cgi
+++ b/httemplate/edit/process/cust_main.cgi
@@ -1,7 +1,7 @@
% if ( $error ) {
% $cgi->param('error', $error);
-%
-<% $cgi->redirect(popurl(2). "cust_main.cgi?". $cgi->query_string ) %>
+% my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1);
+<% $cgi->redirect(popurl(2). "cust_main.cgi?$query" ) %>
%
% } else {
%
diff --git a/httemplate/elements/create_uri_query b/httemplate/elements/create_uri_query
index 32d8e2f..ce6249e 100644
--- a/httemplate/elements/create_uri_query
+++ b/httemplate/elements/create_uri_query
@@ -1,17 +1,34 @@
<% $query %>\
<%init>
+my %opt = @_;
+
+if ( $opt{secure} ) {
+
+ foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) {
+ my $value = $cgi->param($param);
+ next unless length($value);
+ my $encrypted = FS::Record->encrypt( $value );
+ $cgi->param($param, $encrypted);
+ }
+
+}
+
my $query = $cgi->query_string;
-if ( length($query) > 1920 ) { #stupid IE 2083 URL limit
+if ( length($query) > 1920 || $opt{secure} ) { #stupid IE 2083 URL limit
my $session = int(rand(4294967296)); #XXX
my $pref = new FS::access_user_pref({
'usernum' => $FS::CurrentUser::CurrentUser->usernum,
'prefname' => "redirect$session",
'prefvalue' => $query,
- 'expiration' => time + 3600, #1h? 1m?
+ 'expiration' => time + ( $opt{secure} ? 120 #2m?
+ : 3600 #1h?
+ ),
});
+ local($FS::Record::no_history) = 1;
+
my $pref_error = $pref->insert;
if ( $pref_error ) {
die "FATAL: couldn't even set redirect cookie: $pref_error".
diff --git a/httemplate/elements/searchbar-cust_main.html b/httemplate/elements/searchbar-cust_main.html
index 9a98417..5bfef48 100644
--- a/httemplate/elements/searchbar-cust_main.html
+++ b/httemplate/elements/searchbar-cust_main.html
@@ -1,6 +1,6 @@
% if ( $curuser->access_right('List customers') ) {
- <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="GET" STYLE="margin:0">
+ <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="POST" STYLE="margin:0">
<INPUT NAME="search_cust" TYPE="text" VALUE="<% $cust_label |n %>" STYLE="width:<%$width%>" onFocus="clearhint_search_cust(this);" onClick="clearhint_search_cust(this);" CLASS="fstext"><BR>
<A HREF="<%$fsurl%>search/report_cust_main.html" CLASS="fslink" STYLE="font-size: 11px"><% mt('Advanced') |h %></A>
<INPUT TYPE="submit" VALUE="<% mt('Search customers') |h %>" CLASS="fsblackbutton" onMouseOver="this.className='fsblackbuttonselected'; return true;" onMouseOut="this.className='fsblackbutton'; return true;" STYLE="font-size:11px">
-----------------------------------------------------------------------
Summary of changes:
FS/FS/Record.pm | 4 ++--
FS/bin/freeside-queued | 3 +++
httemplate/edit/cust_main.cgi | 1 +
httemplate/edit/process/cust_main.cgi | 4 ++--
httemplate/elements/create_uri_query | 21 +++++++++++++++++++--
httemplate/elements/searchbar-cust_main.html | 2 +-
6 files changed, 28 insertions(+), 7 deletions(-)
More information about the freeside-commits
mailing list