From aaa0887eca2c030ba56376888934ee1e29b26932 Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew-github@dracos.co.uk>
Date: Thu, 6 Sep 2018 17:42:54 +0100
Subject: Update user object before attempting sign-in.

This prevents leaking of user account phone
number on a failed login attempt.
---
 CHANGELOG.md                                     | 5 ++++-
 perllib/FixMyStreet/App/Controller/Report/New.pm | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b1b052008..f9b0f9149 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,9 @@
 ## Releases
 
-* Unreleased
+* v2.3.5 (6th September 2018)
+    - Security:
+        - Update user object before attempting sign-in,
+          to prevent leak of user account phone number.
 
 * v2.3.4 (7th June 2018)
     - Bugfixes:
diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm
index b5e5c5738..6cbf2291f 100644
--- a/perllib/FixMyStreet/App/Controller/Report/New.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/New.pm
@@ -805,6 +805,8 @@ sub process_user : Private {
 
     $c->stash->{phone_may_be_mobile} = $type eq 'phone' && $parsed->{may_be_mobile};
 
+    $c->forward('update_user', [ \%params ]);
+
     # The user is trying to sign in. We only care about username from the params.
     if ( $c->get_param('submit_sign_in') || $c->get_param('password_sign_in') ) {
         $c->stash->{tfa_data} = {
@@ -825,7 +827,6 @@ sub process_user : Private {
         return 1;
     }
 
-    $c->forward('update_user', [ \%params ]);
     if ($params{password_register}) {
         $c->forward('/auth/test_password', [ $params{password_register} ]);
         $report->user->password($params{password_register});
-- 
cgit v1.2.3