From 566f329591b4afd833cf7dc99319740a5f664b6e Mon Sep 17 00:00:00 2001
From: Guillaume Rousse <guillaume.rousse@renater.fr>
Date: Tue, 7 Nov 2017 10:34:54 +0100
Subject: [PATCH] sanitize arguments transmission

---
 lib/IdPAccountManager/Tools.pm                |  6 +--
 lib/IdPAccountManager/WebRequest.pm           | 38 +++++++++++++------
 .../mail/notification_generic_error.tt2.eml   |  4 +-
 .../mail/send_authentication_token.tt2.eml    | 14 +++----
 4 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/lib/IdPAccountManager/Tools.pm b/lib/IdPAccountManager/Tools.pm
index 6776d9d..0ee9af4 100644
--- a/lib/IdPAccountManager/Tools.pm
+++ b/lib/IdPAccountManager/Tools.pm
@@ -110,17 +110,15 @@ sub update_ssp_authsources {
 ##   data : data used by the TT2 parser
 sub mail_notice {
     my (%args) = @_;
-    my $tt2_file  = $args{template};
-    my $mail_data = $args{data};
 
     open SENDMAIL,
-        "|/usr/sbin/sendmail -f $args{from} $args{to}";
+        "|/usr/sbin/sendmail -f $args{data}->{from} $args{data}->{to}";
 
     my $tt2 = Template->new({
         FILTERS      => { qencode => [ \&qencode, 0 ] },
         INCLUDE_PATH => $args{templates_dir}
     });
-    $tt2->process($tt2_file, $mail_data, \*SENDMAIL)
+    $tt2->process($args{template}, $args{data}, \*SENDMAIL)
         or die $tt2->error();
 
     close SENDMAIL;
diff --git a/lib/IdPAccountManager/WebRequest.pm b/lib/IdPAccountManager/WebRequest.pm
index 6b97aa3..714434b 100755
--- a/lib/IdPAccountManager/WebRequest.pm
+++ b/lib/IdPAccountManager/WebRequest.pm
@@ -184,14 +184,21 @@ sub respond {
 
     ## Mail notification of admins about the error
     if (@errors_admin) {
-        $self->{out}->{subject} = 'Error notification - web interface';
         eval {
             IdPAccountManager::Tools::mail_notice(
                 template      => 'mail/notification_generic_error.tt2.eml',
                 templates_dir => $self->{configuration}->{templates_dir},
-                data          => $self->{out},
-                to            => $self->{configuration}->{admin_email},
-                from          => $self->{configuration}->{notice_from}
+                data          => {
+                    env => {
+                        REMOTE_HOST => $ENV{REMOTE_HOST},
+                        REMOTE_ADDR => $ENV{REMOTE_ADDR},
+                    },
+                    app_name => $self->{configuration}->{app_name},
+                    app_url  => $self->{configuration}->{app_url},
+                    from     => $self->{configuration}->{notice_from},
+                    to       => $self->{configuration}->{admin_email},
+                    errors   => $self->{out}->{errors}
+                }
             );
         };
         $self->{logger}->errorf("Error TT2 : %s", $EVAL_ERROR) if $EVAL_ERROR;
@@ -405,19 +412,26 @@ sub req_generate_token {
 
     $self->{out}->{email_address} = $self->{in}->{email_address};
     $self->{out}->{sp_entityid}   = $self->{in}->{sp_entityid};
-    $self->{out}->{to}            = $self->{in}->{email_address};
-    $self->{out}->{authentication_token} =
-        $authentication_token->get('token');
-    $self->{out}->{subtitle} = 'Generate an authentication token';
+    $self->{out}->{subtitle}      = 'Generate an authentication token';
 
     ## Send the challenge email with the token
     eval {
         IdPAccountManager::Tools::mail_notice(
             template      => 'mail/send_authentication_token.tt2.eml',
             templates_dir => $self->{configuration}->{templates_dir},
-            from          => $self->{configuration}->{notice_from}
-            to            => $self->{in}->{email_address},
-            data          => $self->{out},
+            data          => {
+                env => {
+                    REMOTE_HOST => $ENV{REMOTE_HOST},
+                    REMOTE_ADDR => $ENV{REMOTE_ADDR},
+                },
+                app_name             => $self->{configuration}->{app_name},
+                app_url              => $self->{configuration}->{app_url},
+                from                 => $self->{configuration}->{notice_from},
+                support_email        => $self->{configuration}->{support_email},
+                to                   => $self->{in}->{email_address},
+                sp_entityid          => $self->{in}->{sp_entityid},
+                authentication_token => $authentication_token->get('token'),
+            }
         );
     };
     $self->{logger}->errorf("Error TT2 : %s", $EVAL_ERROR) if $EVAL_ERROR;
@@ -426,7 +440,7 @@ sub req_generate_token {
         "Token send to %s for sp_entityid=%s;token=%s",
         $self->{in}->{email_address},
         $self->{in}->{sp_entityid},
-        $self->{out}->{authentication_token}
+        $authentication_token->get('token'),
     );
 
     return 1;
diff --git a/templates/mail/notification_generic_error.tt2.eml b/templates/mail/notification_generic_error.tt2.eml
index de75659..2430cc4 100644
--- a/templates/mail/notification_generic_error.tt2.eml
+++ b/templates/mail/notification_generic_error.tt2.eml
@@ -1,6 +1,6 @@
-From: [% conf.app_name %] <[% conf.notice_from %]>
+From: [% app_name %] <[% from %]>
 To: [% to %]
-Subject: [% subject %]
+Subject: [% app_name %] - Error notification
 Content-type: text/plain; charset=UTF-8; format=flowed
 
 You receive this notification as administrator of the eduGAIN Test Account Manager
diff --git a/templates/mail/send_authentication_token.tt2.eml b/templates/mail/send_authentication_token.tt2.eml
index 4ef4494..1d748e6 100644
--- a/templates/mail/send_authentication_token.tt2.eml
+++ b/templates/mail/send_authentication_token.tt2.eml
@@ -1,18 +1,18 @@
-From: [% conf.app_name %] <[% conf.notice_from %]>
+From: [% app_name %] <[% from %]>
 To: [% to %]
-Subject: [% conf.app_name %] - Test accounts request
+Subject: [% app_name %] - Test accounts request
 Content-type: text/plain; charset=UTF-8; format=flowed
 
-This is an email challenge automatically sent to you by [% conf.app_name %]. Somebody with IP address [% env.REMOTE_ADDR %] has requested to create test accounts for eduGAIN Service Provider with entityID [% sp_entityid %].
+This is an email challenge automatically sent to you by [% app_name %]. Somebody with IP address [% env.REMOTE_ADDR %] has requested to create test accounts for eduGAIN Service Provider with entityID [% sp_entityid %].
 The address [% to %] is mentioned in the eduGAIN metadata as a contact for this Service Provider.
 
-To complete the creation of test accounts, paste the following validation token in the [% conf.app_name %] web form.
+To complete the creation of test accounts, paste the following validation token in the [% app_name %] web form.
 
 Validation token:  [% authentication_token %]
 
-[% conf.app_name %]: [% conf.app_url %]
+[% app_name %]: [% app_url %]
 
-If the creation of test accounts was not initiated by you or a fellow administrator for the above Service Provider, please forward this email and contact [% conf.support_email %] to inform them about a potential abuse of the [% conf.app_name %] service.
+If the creation of test accounts was not initiated by you or a fellow administrator for the above Service Provider, please forward this email and contact [% conf.support_email %] to inform them about a potential abuse of the [% app_name %] service.
 
 Best Regards
-[% conf.app_name %] Bot
\ No newline at end of file
+[% app_name %] Bot
-- 
GitLab