Merge pull request #1302 from psibi/csrf-fix

yesod-auth: Fix CSRF security vulnerability in registerHelper function
2016-11-22 10:49:26 -08:00 · 2016-11-22 10:49:26 -08:00 · 54cc4205d8
commit 54cc4205d8
parent 10a751cdbc 696faa3fd0
1 changed files with 9 additions and 12 deletions
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@ -71,7 +71,6 @@ import           Safe                     (readMay)
 import           System.IO.Unsafe         (unsafePerformIO)
 import qualified Text.Email.Validate

-
 loginR, registerR, forgotPasswordR, setpassR :: AuthRoute
 loginR = PluginR "email" ["login"]
 registerR = PluginR "email" ["register"]
@ -383,19 +382,18 @@ registerHelper :: YesodAuthEmail master
               -> HandlerT Auth (HandlerT master IO) TypedContent
 registerHelper allowUsername dest = do
    y <- lift getYesod
+    checkCsrfHeaderOrParam defaultCsrfHeaderName defaultCsrfParamName
    midentifier <- lookupPostParam "email"
    let eidentifier = case midentifier of
-            Nothing -> Left Msg.NoIdentifierProvided
-            Just x
-                | Just x' <- Text.Email.Validate.canonicalizeEmail (encodeUtf8 x) ->
-                    Right $ normalizeEmailAddress y $ decodeUtf8With lenientDecode x'
-                | allowUsername -> Right $ TS.strip x
-                | otherwise -> Left Msg.InvalidEmailAddress
-
+                          Nothing -> Left Msg.NoIdentifierProvided
+                          Just x
+                              | Just x' <- Text.Email.Validate.canonicalizeEmail (encodeUtf8 x) ->
+                                         Right $ normalizeEmailAddress y $ decodeUtf8With lenientDecode x'
+                              | allowUsername -> Right $ TS.strip x
+                              | otherwise -> Left Msg.InvalidEmailAddress
    case eidentifier of
-        Left route -> loginErrorMessageI dest route
-        Right identifier -> do
-
+      Left route -> loginErrorMessageI dest route
+      Right identifier -> do
            mecreds <- lift $ getEmailCreds identifier
            registerCreds <-
                case mecreds of
@ -709,7 +707,6 @@ setLoginLinkKey aid = do
    now <- liftIO getCurrentTime
    setSession loginLinkKey $ TS.pack $ show (toPathPiece aid, now)

-
 -- See https://github.com/yesodweb/yesod/issues/1245 for discussion on this
 -- use of unsafePerformIO.
 defaultNonceGen :: Nonce.Generator