From fc827a003a44540b80cf31ce009721897d931191 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 5 Nov 2013 14:40:40 +0100
Subject: [PATCH] Be paranoid about the Persona email address

---
 src/lib/Hydra/Controller/User.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lib/Hydra/Controller/User.pm b/src/lib/Hydra/Controller/User.pm
index ca626077..4b6033a8 100644
--- a/src/lib/Hydra/Controller/User.pm
+++ b/src/lib/Hydra/Controller/User.pm
@@ -63,6 +63,10 @@ sub persona_login :Path('/persona-login') Args(0) {
 
     my $email = $d->{email} or die;
 
+    # Be paranoid about the email address format, since we do use it
+    # in URLs.
+    die "Illegal email address." unless $email =~ /^[a-zA-Z0-9\.\-\_]+@[a-zA-Z0-9\.\-\_]+$/;
+
     my $user = $c->find_user({ username => $email });
 
     if (!$user) {