[freeside-commits] branch FREESIDE_2_3_BRANCH updated. 78468b9e9cb1ccf39e6092b8e3d87bab393ea5dd

[Ivan]

The branch, FREESIDE_2_3_BRANCH has been updated
       via  78468b9e9cb1ccf39e6092b8e3d87bab393ea5dd (commit)
      from  e310ed83422fee8511df926141a7606676ff1331 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 78468b9e9cb1ccf39e6092b8e3d87bab393ea5dd
Author: Ivan Kohler <ivan at freeside.biz>
Date:   Sun Nov 17 17:10:49 2013 -0800

    don't redirect to a GET with sensitive data, RT#26099

diff --git a/httemplate/elements/handle_uri_query b/httemplate/elements/handle_uri_query
index eb7ea1a..2dea96a 100644
--- a/httemplate/elements/handle_uri_query
+++ b/httemplate/elements/handle_uri_query
@@ -1,8 +1,20 @@
 <%init>
+
+my %opt = @_;
+
 if ( $cgi->param('redirect') ) {
   my $session = $cgi->param('redirect');
+
   my $pref = $FS::CurrentUser::CurrentUser->option("redirect$session");
   die "unknown redirect session $session\n" unless length($pref);
   $cgi = new CGI($pref);
+
+  foreach my $param (grep /pay(info\d?|cvv)$/, $cgi->param) {
+    my $value = $cgi->param($param);
+    next unless length($value);
+    my $decrypted = FS::Record->decrypt( $value );
+    $cgi->param($param, $decrypted);
+  }
+
 }
 </%init>

-----------------------------------------------------------------------

Summary of changes:
 httemplate/elements/handle_uri_query |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)