https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24788 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #3 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to David Gustafsson from comment #0)
Koha::Object->store accesse sDBIx::Class::Row columns as $self->$col, using AUTOLOAD, which in effect makes column names and methods share the same namespace. I'm no security expert, but I think this should be considered bad practice and could be an attack vector. It also has huge potential for causing strange bugs, which happened in Bug 14957 where a column is named "delete", calling the "delete" method instead of fetching the column value as intended. Here is patch to fix this using a separate namespace for setting/getting columns through get_column/set_column instead.
In this case it comes from: my $columns_info = $self->_result->result_source->columns_info; just a few lines earlier. So I guess the security argument does not really apply here. And the "huge potential for bugs" is a bit overkill. But the change looks good to me :) -- You are receiving this mail because: You are watching all bug changes.