- 
-|.$locale->text('Version').qq| $form->{version}
-
-
-
-
+
@@ -227,7 +357,7 @@ sub selectdataset {
sub login {
- $form->{stylesheet} = "sql-ledger.css";
+ $form->{stylesheet} = "blue.css";
$form->{favicon} = "favicon.ico";
$form->error($locale->text('You did not enter a name!')) unless ($form->{login});
@@ -249,8 +379,9 @@ sub login {
$form->error($locale->text('Incorrect Username or Password!'));
}
} else {
- if ($form->{login} !~ /\@/) {
- $form->{login} .= "\@$dbname";
+ if ($form->{login} !~ /\@/ && keys %login == 1) {
+ my ($only) = keys %login;
+ $form->{login} = $only if defined $only && $only =~ /\@/;
}
}
}
@@ -279,7 +410,18 @@ sub login {
$form->info($err[4]);
- $form->info("{login}&path=$form->{path}&action=display&main=company_logo&js=$form->{js}&password=$form->{password}>".$locale->text('Continue')."");
+ my $login_u = $form->escape($form->{login}, 1);
+ my $path_u = $form->escape($form->{path}, 1);
+ my $js_u = $form->escape($form->{js}, 1);
+ my $sess_u = defined $form->{sessioncookie} ? $form->escape($form->{sessioncookie}, 1) : '';
+ my $sd_u = defined $form->{small_device} ? $form->escape($form->{small_device}, 1) : '';
+
+ my $href = "menu.pl?action=display&main=company_logo&login=$login_u&path=$path_u&js=$js_u";
+ $href .= "&sessioncookie=$sess_u" if defined $form->{sessioncookie} && length $form->{sessioncookie};
+ $href .= "&small_device=$sd_u" if defined $form->{small_device} && length $form->{small_device};
+
+ my $href_h = h($href);
+ $form->info(' ' . $locale->text('Continue') . '');
exit;
@@ -288,7 +430,7 @@ sub login {
if ($errno == 5) {
if (-f "$slconfig{userspath}/$user->{dbname}.LCK") {
if (-s "$slconfig{userspath}/$user->{dbname}.LCK") {
- open my $fh, "$slconfig{userspath}/$user->{dbname}.LCK" ;
+ open my $fh, '<', "$slconfig{userspath}/$user->{dbname}.LCK" or $form->error("$slconfig{userspath}/$user->{dbname}.LCK : $!");
$msg = <$fh>;
close $fh;
if ($form->{admin}) {
@@ -308,7 +450,18 @@ sub login {
} else {
# upgrade dataset and log in again
- open FH, ">$slconfig{userspath}/$user->{dbname}.LCK" or $form->error($!);
+ my $login_u = $form->escape($form->{login}, 1);
+ my $path_u = $form->escape($form->{path}, 1);
+ my $js_u = $form->escape($form->{js}, 1);
+ my $sess_u = defined $form->{sessioncookie} ? $form->escape($form->{sessioncookie}, 1) : '';
+ my $sd_u = defined $form->{small_device} ? $form->escape($form->{small_device}, 1) : '';
+
+ my $href = "menu.pl?action=display&main=company_logo&login=$login_u&path=$path_u&js=$js_u";
+ $href .= "&sessioncookie=$sess_u" if defined $form->{sessioncookie} && length $form->{sessioncookie};
+ $href .= "&small_device=$sd_u" if defined $form->{small_device} && length $form->{small_device};
+
+ my $href_h = h($href);
+ $form->info(' ' . $locale->text('Continue') . '');
for (qw(dbname dbhost dbport dbdriver dbconnect dbuser dbpasswd)) { $form->{$_} = $user->{$_} }
@@ -321,7 +474,25 @@ sub login {
}
- $form->info(" {login}&path=$form->{path}&action=display&main=company_logo&js=$form->{js}&password=$form->{password}>".$locale->text('Continue')."");
+ # Do NOT put password in query string. Hand off via POST.
+ my $login_h = h($form->{login});
+ my $path_h = h($form->{path});
+ my $js_h = h($form->{js});
+ my $pwd_h = h($form->{password});
+
+ my $post = qq|
+
+
+|;
+ $form->info($post);
exit;
@@ -354,7 +525,11 @@ sub login {
# made it this far, setup callback for the menu
$form->{callback} = "menu.pl?action=display";
- for (qw(login path password js sessioncookie small_device)) { $form->{callback} .= "&$_=$form->{$_}" }
+ for my $k (qw(login path js sessioncookie small_device)) {
+ my $v = $form->{$k};
+ next unless defined $v;
+ $form->{callback} .= "&$k=" . $form->escape($v, 1);
+ }
# check for recurring transactions
if ($user->{acs} !~ /Recurring Transactions/) {
@@ -396,12 +571,17 @@ sub email_tan {
use SL::Mailer;
$mail = SL::Mailer->new;
- srand( time() ^ ($$ + ($$ << 15)) );
- $digits = "0123456789";
- $tan = "";
- while (length($tan) < 4) {
- $tan .= substr($digits, (int(rand(length($digits)))), 1);
- }
+ open my $fh, '<', '/dev/urandom'
+ or $form->error('Cannot open /dev/urandom');
+
+ my $n = read $fh, my $buf, 6;
+ close $fh;
+
+ $form->error('Cannot read /dev/urandom') unless defined $n && $n == 6;
+
+ my $tan = join '', map { ord($_) % 10 } split //, $buf;
+
+ for ($user->{name}, $user->{email}) {s/[\r\n]//g if defined;}
$mail->{message} = $locale->text('TAN').": $tan";
$mail->{from} = $mail->{to} = qq|"$user->{name}" <$user->{email}>|;
@@ -421,50 +601,73 @@ sub email_tan {
$form->header;
- print qq|
-
-
-
-
-
-
-
-
-
-
-
-|.$locale->text('Version').qq| $form->{version}
-$user->{company}
-
-
-
- |
-
-
+
@@ -487,14 +690,14 @@ sub tan_login {
if ((crypt $form->{password}, substr($form->{login}, 0, 2)) ne $myconfig{password}) {
if (-f "$slconfig{userspath}/$form->{login}.tan") {
- open my $fh, "+<$slconfig{userspath}/$form->{login}.tan" or $form->error("$slconfig{userspath}/$form->{login}.tan : $!");
+ open my $fh, '+<', "$slconfig{userspath}/$form->{login}.tan" or $form->error("$slconfig{userspath}/$form->{login}.tan : $!");
$tries = <$fh>;
$tries++;
seek($fh, 0, 0);
truncate($fh, 0);
- print $fh $tries;
+ print {$fh} $tries;
close $fh;
if ($tries > 3) {
@@ -503,8 +706,8 @@ sub tan_login {
$form->error($locale->text('Maximum tries exceeded!'));
}
} else {
- open my $fh, ">$slconfig{userspath}/$form->{login}.tan" or $form->error("$slconfig{userspath}/$form->{login}.tan : $!");
- print $fh "1";
+ open my $fh, '>', "$slconfig{userspath}/$form->{login}.tan" or $form->error("$slconfig{userspath}/$form->{login}.tan : $!");
+ print {$fh} "1";
close $fh;
}
@@ -516,11 +719,76 @@ sub tan_login {
unlink "$slconfig{userspath}/$form->{login}.tan";
- $form->{callback} = "menu.pl?action=display";
- for (qw(login path js password)) { $form->{callback} .= "&$_=$form->{$_}" }
- $form->{callback} .= "&main=company_logo";
+ # TAN flow: menu.pl must receive the TAN code (in field 'password') to proceed.
+ # Do NOT put it in the query string -> hand off via POST (auto-submit).
+ my $h = sub {
+ my ($s) = @_;
+ $s = '' unless defined $s;
+ $s =~ s/&/&/g;
+ $s =~ s//>/g;
+ $s =~ s/"/"/g;
+ $s =~ s/'/'/g;
+ return $s;
+ };
+
+ # If available in the stored config, keep sessioncookie around (optional but harmless)
+ $form->{sessioncookie} ||= $myconfig{sessioncookie} if defined $myconfig{sessioncookie};
+
+ $form->{stylesheet} ||= $myconfig{stylesheet} || "blue.css";
+ $form->{favicon} ||= "favicon.ico";
+ $form->header;
+
+ my $login_h = $h->($form->{login});
+ my $path_h = $h->($form->{path});
+ my $js_h = $h->($form->{js});
+ my $pwd_h = $h->($form->{password}); # TAN code arrives as 'password'
+ my $sess_h = $h->($form->{sessioncookie});
+ my $sd_h = $h->($form->{small_device});
+
+ print qq|
+
+
+
+
+
+|;
+ exit;
}
@@ -538,19 +806,13 @@ sub totp_screen {
SL::TOTP::add_secret($user, $slconfig{memberfile}, $slconfig{userspath});
$qrcode = qq|
-
- | |.$locale->text('Scan the following code with your Authenticator App:').qq| |
-
- | |
-
-
+
+ |.$locale->text('Scan the following code with your Authenticator App:').qq|
+
|. SL::QRCode::plot_svg(SL::TOTP::url($user), scale => 4) . qq|
- |
-
-
- | $user->{totp_secret} |
-
- | | |;
+
+ $user->{totp_secret}
+ |;
}
$form->{stylesheet} = $user->{stylesheet};
@@ -559,50 +821,75 @@ sub totp_screen {
$form->header;
- print qq|
-
-
-
-
-
-
-
-
-
-
-
-|.$locale->text('Version').qq| $form->{version}
-
-
- |
-
-
+
@@ -636,8 +923,10 @@ sub totp_login {
# made it this far, setup callback for the menu
$form->{callback} = "menu.pl?action=display";
- for (qw(login path password js sessioncookie small_device)) {
- $form->{callback} .= "&$_=$form->{$_}";
+ for my $k (qw(login path js sessioncookie small_device)) {
+ my $v = $form->{$k};
+ next unless defined $v;
+ $form->{callback} .= "&$k=" . $form->escape($v, 1);
}
# check for recurring transactions
|