aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGELOG.md3
-rw-r--r--perllib/FixMyStreet/App/Controller/Report/New.pm3
2 files changed, 5 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 08ae958b5..d48237a49 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,9 @@
## Releases
* Unreleased
+ - Security
+ - Update user object before attempting sign-in,
+ to prevent leak of user account phone number.
- Front end improvements:
- Simplify footer CSS. #2107
- Keep commas in geocode lookups.
diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm
index 15d144e2a..869ed9461 100644
--- a/perllib/FixMyStreet/App/Controller/Report/New.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/New.pm
@@ -824,6 +824,8 @@ sub process_user : Private {
$c->stash->{phone_may_be_mobile} = $type eq 'phone' && $parsed->{may_be_mobile};
+ $c->forward('update_user', [ \%params ]);
+
# The user is trying to sign in. We only care about username from the params.
if ( $c->get_param('submit_sign_in') || $c->get_param('password_sign_in') ) {
$c->stash->{tfa_data} = {
@@ -844,7 +846,6 @@ sub process_user : Private {
return 1;
}
- $c->forward('update_user', [ \%params ]);
if ($params{password_register}) {
$c->forward('/auth/test_password', [ $params{password_register} ]);
$report->user->password($params{password_register});
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-26 21:16:10 +0000