[freeside-commits] branch FREESIDE_2_3_BRANCH updated. e310ed83422fee8511df926141a7606676ff1331
Ivan
ivan at 420.am
Sun Nov 17 17:10:27 PST 2013
The branch, FREESIDE_2_3_BRANCH has been updated
via e310ed83422fee8511df926141a7606676ff1331 (commit)
from 736136102c6fc01fbc9d70358e6e457a09687944 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e310ed83422fee8511df926141a7606676ff1331
Author: Ivan Kohler <ivan at freeside.biz>
Date: Sun Nov 17 17:10:24 2013 -0800
don't redirect to a GET with sensitive data, RT#26099
diff --git a/FS/FS/Record.pm b/FS/FS/Record.pm
index 2c506ff..4e0cf8e 100644
--- a/FS/FS/Record.pm
+++ b/FS/FS/Record.pm
@@ -1154,7 +1154,7 @@ sub insert {
my $h_sth;
- if ( defined dbdef->table('h_'. $table) ) {
+ if ( defined( dbdef->table('h_'. $table) ) && ! $no_history ) {
my $h_statement = $self->_h_statement('insert');
warn "[debug]$me $h_statement\n" if $DEBUG > 2;
$h_sth = dbh->prepare($h_statement) or do {
@@ -2924,7 +2924,7 @@ You should generally not have to worry about calling this, as the system handles
sub encrypt {
my ($self, $value) = @_;
- my $encrypted;
+ my $encrypted = $value;
if ($conf->exists('encryption')) {
if ($self->is_encrypted($value)) {
diff --git a/FS/bin/freeside-queued b/FS/bin/freeside-queued
index 2fd8025..23a3b3b 100644
--- a/FS/bin/freeside-queued
+++ b/FS/bin/freeside-queued
@@ -12,6 +12,7 @@ use FS::Record qw(qsearch);
use FS::queue;
use FS::queue_depend;
use FS::Log;
+use FS::Cron::expire_user_pref qw( expire_user_pref );
# no autoloading for non-FS classes...
use Net::SSH 0.07;
@@ -66,6 +67,7 @@ while (1) {
if ( $kids >= $max_kids ) {
warn "WARNING: maximum $kids children reached\n" unless $warnkids++;
&reap_kids;
+ expire_user_pref() unless $warnkids % 10;
sleep 1; #waiting for signals is cheap
next;
}
@@ -131,6 +133,7 @@ while (1) {
undef $FS::UID::dbh;
next;
};
+ expire_user_pref();
sleep $sleep_time;
next;
}
diff --git a/httemplate/edit/cust_main.cgi b/httemplate/edit/cust_main.cgi
index 970037b..9e1b4b0 100755
--- a/httemplate/edit/cust_main.cgi
+++ b/httemplate/edit/cust_main.cgi
@@ -241,6 +241,8 @@ my %svc_dsl = ();
my $prospectnum = '';
my $locationnum = '';
+$m->comp('/elements/handle_uri_query', 'secure'=>1);
+
if ( $cgi->param('error') ) {
$cust_main = new FS::cust_main ( {
diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi
index 29805be..7241b0a 100755
--- a/httemplate/edit/process/cust_main.cgi
+++ b/httemplate/edit/process/cust_main.cgi
@@ -1,7 +1,7 @@
% if ( $error ) {
% $cgi->param('error', $error);
-%
-<% $cgi->redirect(popurl(2). "cust_main.cgi?". $cgi->query_string ) %>
+% my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1);
+<% $cgi->redirect(popurl(2). "cust_main.cgi?$query" ) %>
%
% } else {
%
diff --git a/httemplate/elements/create_uri_query b/httemplate/elements/create_uri_query
index 32d8e2f..ce6249e 100644
--- a/httemplate/elements/create_uri_query
+++ b/httemplate/elements/create_uri_query
@@ -1,17 +1,34 @@
<% $query %>\
<%init>
+my %opt = @_;
+
+if ( $opt{secure} ) {
+
+ foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) {
+ my $value = $cgi->param($param);
+ next unless length($value);
+ my $encrypted = FS::Record->encrypt( $value );
+ $cgi->param($param, $encrypted);
+ }
+
+}
+
my $query = $cgi->query_string;
-if ( length($query) > 1920 ) { #stupid IE 2083 URL limit
+if ( length($query) > 1920 || $opt{secure} ) { #stupid IE 2083 URL limit
my $session = int(rand(4294967296)); #XXX
my $pref = new FS::access_user_pref({
'usernum' => $FS::CurrentUser::CurrentUser->usernum,
'prefname' => "redirect$session",
'prefvalue' => $query,
- 'expiration' => time + 3600, #1h? 1m?
+ 'expiration' => time + ( $opt{secure} ? 120 #2m?
+ : 3600 #1h?
+ ),
});
+ local($FS::Record::no_history) = 1;
+
my $pref_error = $pref->insert;
if ( $pref_error ) {
die "FATAL: couldn't even set redirect cookie: $pref_error".
diff --git a/httemplate/elements/searchbar-cust_main.html b/httemplate/elements/searchbar-cust_main.html
index 5d79aaa..d68ccc3 100644
--- a/httemplate/elements/searchbar-cust_main.html
+++ b/httemplate/elements/searchbar-cust_main.html
@@ -1,6 +1,6 @@
% if ( $curuser->access_right('List customers') ) {
- <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="GET" STYLE="margin:0">
+ <FORM ACTION="<%$fsurl%>search/cust_main.cgi" METHOD="POST" STYLE="margin:0">
<INPUT NAME="search_cust" TYPE="text" VALUE="<% $cust_label |n %>" STYLE="width:<%$width%>" onFocus="clearhint_search_cust(this);" onClick="clearhint_search_cust(this);" CLASS="fstext"><BR>
<A HREF="<%$fsurl%>search/report_cust_main.html" CLASS="fslink" STYLE="font-size: 11px"><% mt('Advanced') |h %></A>
<INPUT TYPE="submit" VALUE="<% mt('Search customers') |h %>" CLASS="fsblackbutton" onMouseOver="this.className='fsblackbuttonselected'; return true;" onMouseOut="this.className='fsblackbutton'; return true;" STYLE="font-size:11px">
-----------------------------------------------------------------------
Summary of changes:
FS/FS/Record.pm | 4 ++--
FS/bin/freeside-queued | 3 +++
httemplate/edit/cust_main.cgi | 2 ++
httemplate/edit/process/cust_main.cgi | 4 ++--
httemplate/elements/create_uri_query | 21 +++++++++++++++++++--
httemplate/elements/searchbar-cust_main.html | 2 +-
6 files changed, 29 insertions(+), 7 deletions(-)
More information about the freeside-commits
mailing list