[Koha-bugs] [Bug 15747] Auth.pm flooding error log with "CGI::param called in list context"

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Feb 16 00:39:06 CET 2016 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15747

David Cook <dcook at prosentient.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dcook at prosentient.com.au

--- Comment #18 from David Cook <dcook at prosentient.com.au> ---
Jonathan's patch looks good - provided that
$in->{'query'}->param('auth_forwarded_hash') is a single value and not a multi
value. (I assume that it is a single value.)

I'd like to clarify one thing though. The warning "Do not use CGI->param in
list context" is not strictly necessary.

The problem isn't with CGI->param() in list context per se but rather with
CGI->param("foo") in list context. I'm using "my @param_names = CGI->param()"
elsewhere and it doesn't generate warnings. It only generates warnings if
you're passing the method an argument, as it introduces some ambiguity and the
possibility of buggy behaviour. Here's the example from CGI:

my %user_info = (
    id   => 1,
    name => $query->param('name'),
);

In theory, someone could submit multiple "name" arguments, so the above could
actually be interpolated like this:

my %user_info = (
    id   => 1,
    name => "bruce", "wayne", "clark", "kent"
);

If you run the code with that list as the value for "name", you'll get the
following hash after interpolation:

'id' => 1,
'name' => 'bruce',
'kent' => undef,
'wayne' => 'clark'

That's definitely a vulnerability. 

So if you know that you only have one "name", you can use "scalar
$query->param('name')". 

However, if you know that you have multiple names, but don't want to wind up
with a mangled hash, I think you should be able to do the following:

my %user_info = (
    id   => 1,
    name => [$query->param('name')],
);

That should give you the following:

'id' => 1,
'name' => [
    'bruce',
    'wayne',
    'clark',
    'kent'
]

Of course, I think you'd still get the warning even if you did
$query->param('name'), which is why CGI->multi_param probably makes more sense
as per https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list