[Koha-bugs] [Bug 15809] versions of CGI < 4.08 do not have multi_param
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Feb 15 07:51:20 CET 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809
M. Tompsett <mtompset at hotmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #47965|0 |1
is obsolete| |
--- Comment #3 from M. Tompsett <mtompset at hotmail.com> ---
Created attachment 48046
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=48046&action=edit
[SIGNED-OFF] Bug 15809: Redefine multi_param is CGI < 4.08 is used
On debian Jessie, the CGI version is >= 4.08
Since this version, the param method raise a warning
"CGI::param called in list context".
Indeed, it can cause vulnerability if called in list context
https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
There is a long journey to get rid of these warnings.
First I suggest to redefine the multi_param method when the CGI version
installed is < 4.08, it will allow us to move the wrong ->param calls to
->multi_param without waiting for everybody to upgrade.
The different ways to call these 2 methods are:
my $foo = $cgi->param('foo'); # OK
my @foo = $cgi->param('foo'); # NOK, will raise the warning
my @foo = $cgi->multi_param('foo'); #OK
$template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
# and vulnerable
$template->param( foo => scalar $cgi->param('foo') ); # OK
NOTE: Tested in conjuction of bug 14076.
Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list