diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-09-06 22:23:46 +0100 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-09-06 22:27:56 +0100 |
| commit | abcb1f866e33c8eb7d979ae1213016d354f8301e (patch) | |
| tree | dde410d7a46fb79625c24d5e2ec15d4d5dbd18a7 | |
| parent | 1f69e28c518f4da9165ae03b749f3411ecec46fd (diff) | |
Update user object before attempting sign-in.
This prevents leaking of user account phone
number on a failed login attempt.
| -rw-r--r-- | CHANGELOG.md | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/New.pm | 3 |
2 files changed, 5 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 08ae958b5..d48237a49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ ## Releases * Unreleased + - Security + - Update user object before attempting sign-in, + to prevent leak of user account phone number. - Front end improvements: - Simplify footer CSS. #2107 - Keep commas in geocode lookups. diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm index 15d144e2a..869ed9461 100644 --- a/perllib/FixMyStreet/App/Controller/Report/New.pm +++ b/perllib/FixMyStreet/App/Controller/Report/New.pm @@ -824,6 +824,8 @@ sub process_user : Private { $c->stash->{phone_may_be_mobile} = $type eq 'phone' && $parsed->{may_be_mobile}; + $c->forward('update_user', [ \%params ]); + # The user is trying to sign in. We only care about username from the params. if ( $c->get_param('submit_sign_in') || $c->get_param('password_sign_in') ) { $c->stash->{tfa_data} = { @@ -844,7 +846,6 @@ sub process_user : Private { return 1; } - $c->forward('update_user', [ \%params ]); if ($params{password_register}) { $c->forward('/auth/test_password', [ $params{password_register} ]); $report->user->password($params{password_register}); |