From ad531654561f46135f7b2fc43f70eb049fafc7ff Mon Sep 17 00:00:00 2001
From: Greg Roach <greg@subaqua.co.uk>
Date: Sun, 5 Sep 2021 19:41:55 +0100
Subject: [PATCH] Fix: do not pass email/username in URL parameters

---
 app/Http/RequestHandlers/RegisterAction.php | 28 +++++++++++++--------
 app/Http/RequestHandlers/RegisterPage.php   |  9 ++++---
 resources/views/register-page.phtml         |  2 +-
 3 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/app/Http/RequestHandlers/RegisterAction.php b/app/Http/RequestHandlers/RegisterAction.php
index a9fbc74be8c..fc9903a0a12 100644
--- a/app/Http/RequestHandlers/RegisterAction.php
+++ b/app/Http/RequestHandlers/RegisterAction.php
@@ -30,6 +30,7 @@
 use Fisharebest\Webtrees\Services\CaptchaService;
 use Fisharebest\Webtrees\Services\EmailService;
 use Fisharebest\Webtrees\Services\UserService;
+use Fisharebest\Webtrees\Session;
 use Fisharebest\Webtrees\Site;
 use Fisharebest\Webtrees\SiteUser;
 use Fisharebest\Webtrees\Tree;
@@ -87,7 +88,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
 
         $params = (array) $request->getParsedBody();
 
-        $comment  = $params['comment'] ?? '';
+        $comments = $params['comments'] ?? '';
         $email    = $params['email'] ?? '';
         $password = $params['password'] ?? '';
         $realname = $params['realname'] ?? '';
@@ -98,16 +99,21 @@ public function handle(ServerRequestInterface $request): ResponseInterface
                 throw new Exception(I18N::translate('Please try again.'));
             }
 
-            $this->doValidateRegistration($request, $username, $email, $realname, $comment, $password);
+            $this->doValidateRegistration($request, $username, $email, $realname, $comments, $password);
+
+            Session::forget('register_comments');
+            Session::forget('register_email');
+            Session::forget('register_realname');
+            Session::forget('register_username');
         } catch (Exception $ex) {
             FlashMessages::addMessage($ex->getMessage(), 'danger');
 
-            return redirect(route(RegisterPage::class, [
-                'comment'  => $comment,
-                'email'    => $email,
-                'realname' => $realname,
-                'username' => $username,
-            ]));
+            Session::put('register_comments', $comments);
+            Session::put('register_email', $email);
+            Session::put('register_realname', $realname);
+            Session::put('register_username', $username);
+
+            return redirect(route(RegisterPage::class));
         }
 
         Log::addAuthenticationLog('User registration requested for: ' . $username);
@@ -122,7 +128,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         $user->setPreference(UserInterface::PREF_TIMESTAMP_REGISTERED, date('U'));
         $user->setPreference(UserInterface::PREF_VERIFICATION_TOKEN, $token);
         $user->setPreference(UserInterface::PREF_CONTACT_METHOD, 'messaging2');
-        $user->setPreference(UserInterface::PREF_NEW_ACCOUNT_COMMENT, $comment);
+        $user->setPreference(UserInterface::PREF_NEW_ACCOUNT_COMMENT, $comments);
         $user->setPreference(UserInterface::PREF_IS_VISIBLE_ONLINE, '1');
         $user->setPreference(UserInterface::PREF_AUTO_ACCEPT_EDITS, '');
         $user->setPreference(UserInterface::PREF_IS_ADMINISTRATOR, '');
@@ -157,14 +163,14 @@ public function handle(ServerRequestInterface $request): ResponseInterface
 
             $body_text = view('emails/register-notify-text', [
                 'user'     => $user,
-                'comments' => $comment,
+                'comments' => $comments,
                 'base_url' => $base_url,
                 'tree'     => $tree,
             ]);
 
             $body_html = view('emails/register-notify-html', [
                 'user'     => $user,
-                'comments' => $comment,
+                'comments' => $comments,
                 'base_url' => $base_url,
                 'tree'     => $tree,
             ]);
diff --git a/app/Http/RequestHandlers/RegisterPage.php b/app/Http/RequestHandlers/RegisterPage.php
index 6e3ec0c5cf6..5669b8fafd5 100644
--- a/app/Http/RequestHandlers/RegisterPage.php
+++ b/app/Http/RequestHandlers/RegisterPage.php
@@ -23,6 +23,7 @@
 use Fisharebest\Webtrees\Http\ViewResponseTrait;
 use Fisharebest\Webtrees\I18N;
 use Fisharebest\Webtrees\Services\CaptchaService;
+use Fisharebest\Webtrees\Session;
 use Fisharebest\Webtrees\Site;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -57,10 +58,10 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         $this->checkRegistrationAllowed();
 
         $tree     = $request->getAttribute('tree');
-        $comments = $request->getQueryParams()['comments'] ?? '';
-        $email    = $request->getQueryParams()['email'] ?? '';
-        $realname = $request->getQueryParams()['realname'] ?? '';
-        $username = $request->getQueryParams()['username'] ?? '';
+        $comments = Session::get('register_comments', '');
+        $email    = Session::get('register_email', '');
+        $realname = Session::get('register_realname', '');
+        $username = Session::get('register_username', '');
 
         $show_caution = Site::getPreference('SHOW_REGISTER_CAUTION') === '1';
 
diff --git a/resources/views/register-page.phtml b/resources/views/register-page.phtml
index 73412396de8..8338e2ff67b 100644
--- a/resources/views/register-page.phtml
+++ b/resources/views/register-page.phtml
@@ -84,7 +84,7 @@ use Fisharebest\Webtrees\View;
             <?= I18N::translate('Comments') ?>
         </label>
         <div class="col-sm-9 wt-page-options-value">
-            <textarea class="form-control" id="comment" name="comment" placeholder="<?php /* I18N: placeholder text for registration-comments field */
+            <textarea class="form-control" id="comments" name="comments" placeholder="<?php /* I18N: placeholder text for registration-comments field */
             I18N::translate('Explain why you are requesting an account.') ?>" rows="4" maxlength="255" dir="auto" required="required"><?= e($comments) ?></textarea>
             <div class="form-text">
                 <?= I18N::translate('Use this field to tell the site administrator why you are requesting an account and how you are related to the genealogy displayed on this site. You can also use this to enter any other comments you may have for the site administrator.') ?>