<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Thanks Andrew! FYI, I have in my Extensible.pm:<div><i>(pre this update; line numbers will be slightly out also, due to some debug code)</i></div><div><div>@@ -211,7 +213,7 @@</div><div> #</div><div> </div><div> plugin_hooks 'before_authenticate_user', 'after_authenticate_user',</div><div>- 'before_create_user', 'after_create_user',</div><div>+ 'before_create_user', 'after_create_user', 'after_reset_code_success',</div><div> 'login_required', 'permission_denied', 'after_login_success';</div><div> </div><div><div>@@ -1216,7 +1229,17 @@</div><div> if ($code) {</div><div> no strict 'refs';</div><div> my $randompw = &{ $plugin->password_generator };</div><div>- if ( $plugin->user_password( code => $code, new_password => $randompw ) ) {</div><div>+</div><div>+ if (my $username = $plugin->user_password( code => $code, new_password => $randompw ) ) {</div><div>+ # Support a custom 'Change password' page or other app-based intervention after a successful reset code has been applied</div><div>+ foreach my $realm_check (@{ $plugin->realm_names }) { # $params->{realm} isn't defined at this point...</div><div>+ my $provider = $plugin->auth_provider($realm_check);</div><div>+ $params->{realm} = $realm_check if $provider->get_user_details($username);</div><div>+ }</div><div>+</div><div>+ $plugin->execute_plugin_hook( 'after_reset_code_success',</div><div>+ { username => $username, password => $randompw, realm => $params->{realm} } );</div><div>+</div><div><br></div><div>This allows a user to do a password change in the app.</div><div>(How else do people use reset codes?)</div><div>-N</div><div><br></div><div>PS: I also have:</div><div><div>@@ -1034,9 +1045,11 @@</div><div> $message{from} = $plugin->mail_from;</div><div> $message{plain} = <<__EMAIL;</div><div> A request has been received to reset your password for $appname. If</div><div>-you would like to do so, please follow the link below:</div><div>+you would like to do so, please click on the link below:</div><div> </div><div> $site/login/$options{code}</div><div>+</div><div>+(If you are unable to click on the link, please copy and paste it into your browser).</div><div><br></div><div>because our users appear to need this extra help.</div></div><div><br></div></div><div><br></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 19 Dec 2018 at 19:18, Andrew Beverley <<a href="mailto:andy@andybev.com">andy@andybev.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear all,<br>
<br>
I have just released a new version of Dancer2::Plugin::Auth::Extensible.<br>
<br>
This contains a number of changes to the return_url functionality<br>
(forwarding to a URL after login). In particular:<br>
<br>
- It fixes a medium-level security vulnerability, whereby return_url<br>
could be used for Open URL Redirection attacks[1] with links such<br>
as /login?return_url=<a href="http://news.bbc.co.uk/" rel="noreferrer" target="_blank">http://news.bbc.co.uk/</a><br>
<br>
- It fixes a problem with apps mounted on paths where the path was<br>
included twice (GH 82 & 74)<br>
<br>
I've tested fairly thoroughly and I don't think I've broken anything,<br>
but let me know if you experience any problems.<br>
<br>
Regards,<br>
<br>
Andy<br>
<br>
[1] <a href="https://portswigger.net/kb/issues/00500100_open-redirection-reflected" rel="noreferrer" target="_blank">https://portswigger.net/kb/issues/00500100_open-redirection-reflected</a><br>
_______________________________________________<br>
dancer-users mailing list<br>
<a href="mailto:dancer-users@dancer.pm" target="_blank">dancer-users@dancer.pm</a><br>
<a href="http://lists.preshweb.co.uk/mailman/listinfo/dancer-users" rel="noreferrer" target="_blank">http://lists.preshweb.co.uk/mailman/listinfo/dancer-users</a><br>
</blockquote></div>