https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809 Bug ID: 15809 Summary: versions of CGI < 4.08 do not have multi_param Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: ASSIGNED Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: jonathan.druart@bugs.koha-community.org Reporter: jonathan.druart@bugs.koha-community.org QA Contact: testopia@bugs.koha-community.org On debian Jessie, the CGI version is >= 4.08 Since this version, the param method raise a warning "CGI::param called in list context". Indeed, it can cause vulnerability if called in list context https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-... http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applicat... There is a long journey to get rid of these warnings. First I suggest to redefine the multi_param method when the CGI version installed is < 4.08, it will allow us to move the wrong ->param calls to ->multi_param without waiting for everybody to upgrade. The different ways to call these 2 methods are: my $foo = $cgi->param('foo'); # OK my @foo = $cgi->param('foo'); # NOK, will raise the warning my @foo = $cgi->multi_param('foo'); #OK $template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning and vulnerable $template->param( foo => scalar $cgi->param('foo') ); # OK -- You are receiving this mail because: You are watching all bug changes.