diff options
author | Daniel Friesel <derf@finalrewind.org> | 2019-05-02 11:34:52 +0200 |
---|---|---|
committer | Daniel Friesel <derf@finalrewind.org> | 2019-05-02 11:34:52 +0200 |
commit | af5c26bf8a4a75935d8d34f17576a135a8eabff9 (patch) | |
tree | 182fd2dd01462aab7b0bbc70877fa3623e306bee | |
parent | be1e5dda23b5bac86898ac548ca1ecd2e6a3fb08 (diff) |
Do not error out when receiving UIDs > INT_MAX1.1.2
-rw-r--r-- | lib/Travelynx/Controller/Account.pm | 7 | ||||
-rwxr-xr-x | lib/Travelynx/Controller/Api.pm | 10 |
2 files changed, 16 insertions, 1 deletions
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm index f7d3a75..081aa13 100644 --- a/lib/Travelynx/Controller/Account.pm +++ b/lib/Travelynx/Controller/Account.pm @@ -159,7 +159,7 @@ sub verify { my $id = $self->stash('id'); my $token = $self->stash('token'); - if ( not $id =~ m{ ^ \d+ $ }x ) { + if ( not $id =~ m{ ^ \d+ $ }x or $id > 2147483647 ) { $self->render( 'register', invalid => 'token' ); return; } @@ -528,6 +528,11 @@ sub recover_password { my $id = $self->stash('id'); my $token = $self->stash('token'); + if ( not $id =~ m{ ^ \d+ $ }x or $id > 2147483647 ) { + $self->render( 'recover_password', invalid => 'recovery token' ); + return; + } + if ( $self->verify_password_token( $id, $token ) ) { $self->render('set_password'); } diff --git a/lib/Travelynx/Controller/Api.pm b/lib/Travelynx/Controller/Api.pm index 889a0e3..b0047b9 100755 --- a/lib/Travelynx/Controller/Api.pm +++ b/lib/Travelynx/Controller/Api.pm @@ -122,6 +122,16 @@ sub get_v1 { } my $uid = $+{id}; $api_token = $+{token}; + + if ( $uid > 2147483647 ) { + $self->render( + json => { + error => 'Malformed token', + }, + ); + return; + } + my $token = $self->get_api_token($uid); if ( $api_token ne $token->{$api_action} ) { $self->render( |