[dancer-users] New release of DPAE with return_url fixes

Nathan Bailey web at polynate.net
Wed Dec 19 23:44:33 GMT 2018


Thanks Andrew! FYI, I have in my Extensible.pm:
*(pre this update; line numbers will be slightly out also, due to some
debug code)*
@@ -211,7 +213,7 @@
 #

 plugin_hooks 'before_authenticate_user', 'after_authenticate_user',
-  'before_create_user', 'after_create_user',
+  'before_create_user', 'after_create_user', 'after_reset_code_success',
   'login_required', 'permission_denied', 'after_login_success';

@@ -1216,7 +1229,17 @@
     if ($code) {
         no strict 'refs';
         my $randompw = &{ $plugin->password_generator };
-        if ( $plugin->user_password( code => $code, new_password =>
$randompw ) ) {
+
+        if (my $username = $plugin->user_password( code => $code,
new_password => $randompw ) ) {
+            # Support a custom 'Change password' page or other app-based
intervention after a successful reset code has been applied
+            foreach my $realm_check (@{ $plugin->realm_names }) { #
$params->{realm} isn't defined at this point...
+                my $provider = $plugin->auth_provider($realm_check);
+                $params->{realm} = $realm_check if
$provider->get_user_details($username);
+            }
+
+            $plugin->execute_plugin_hook( 'after_reset_code_success',
+                { username => $username, password => $randompw, realm =>
$params->{realm} } );
+

This allows a user to do a password change in the app.
(How else do people use reset codes?)
-N

PS: I also have:
@@ -1034,9 +1045,11 @@
         $message{from}    = $plugin->mail_from;
         $message{plain}   = <<__EMAIL;
 A request has been received to reset your password for $appname. If
-you would like to do so, please follow the link below:
+you would like to do so, please click on the link below:

 $site/login/$options{code}
+
+(If you are unable to click on the link, please copy and paste it into
your browser).

because our users appear to need this extra help.



On Wed, 19 Dec 2018 at 19:18, Andrew Beverley <andy at andybev.com> wrote:

> Dear all,
>
> I have just released a new version of Dancer2::Plugin::Auth::Extensible.
>
> This contains a number of changes to the return_url functionality
> (forwarding to a URL after login). In particular:
>
> - It fixes a medium-level security vulnerability, whereby return_url
> could be used for Open URL Redirection attacks[1] with links such
> as /login?return_url=http://news.bbc.co.uk/
>
> - It fixes a problem with apps mounted on paths where the path was
> included twice (GH 82 & 74)
>
> I've tested fairly thoroughly and I don't think I've broken anything,
> but let me know if you experience any problems.
>
> Regards,
>
> Andy
>
> [1] https://portswigger.net/kb/issues/00500100_open-redirection-reflected
> _______________________________________________
> dancer-users mailing list
> dancer-users at dancer.pm
> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.preshweb.co.uk/pipermail/dancer-users/attachments/20181220/a7d393dd/attachment.html>


More information about the dancer-users mailing list