summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Friesel <derf@finalrewind.org>2019-05-02 11:34:52 +0200
committerDaniel Friesel <derf@finalrewind.org>2019-05-02 11:34:52 +0200
commitaf5c26bf8a4a75935d8d34f17576a135a8eabff9 (patch)
tree182fd2dd01462aab7b0bbc70877fa3623e306bee
parentbe1e5dda23b5bac86898ac548ca1ecd2e6a3fb08 (diff)
Do not error out when receiving UIDs > INT_MAX1.1.2
-rw-r--r--lib/Travelynx/Controller/Account.pm7
-rwxr-xr-xlib/Travelynx/Controller/Api.pm10
2 files changed, 16 insertions, 1 deletions
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index f7d3a75..081aa13 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -159,7 +159,7 @@ sub verify {
my $id = $self->stash('id');
my $token = $self->stash('token');
- if ( not $id =~ m{ ^ \d+ $ }x ) {
+ if ( not $id =~ m{ ^ \d+ $ }x or $id > 2147483647 ) {
$self->render( 'register', invalid => 'token' );
return;
}
@@ -528,6 +528,11 @@ sub recover_password {
my $id = $self->stash('id');
my $token = $self->stash('token');
+ if ( not $id =~ m{ ^ \d+ $ }x or $id > 2147483647 ) {
+ $self->render( 'recover_password', invalid => 'recovery token' );
+ return;
+ }
+
if ( $self->verify_password_token( $id, $token ) ) {
$self->render('set_password');
}
diff --git a/lib/Travelynx/Controller/Api.pm b/lib/Travelynx/Controller/Api.pm
index 889a0e3..b0047b9 100755
--- a/lib/Travelynx/Controller/Api.pm
+++ b/lib/Travelynx/Controller/Api.pm
@@ -122,6 +122,16 @@ sub get_v1 {
}
my $uid = $+{id};
$api_token = $+{token};
+
+ if ( $uid > 2147483647 ) {
+ $self->render(
+ json => {
+ error => 'Malformed token',
+ },
+ );
+ return;
+ }
+
my $token = $self->get_api_token($uid);
if ( $api_token ne $token->{$api_action} ) {
$self->render(