[Koha-bugs] [Bug 15809] versions of CGI < 4.08 do not have multi_param
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Feb 17 13:57:34 CET 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809
Marcel de Rooy <m.de.rooy at rijksmuseum.nl> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Failed QA
QA Contact|testopia at bugs.koha-communit |m.de.rooy at rijksmuseum.nl
|y.org |
--- Comment #5 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
I am having the impression that we do not completely tackle the problem (read
vulnerability given) here.
Because just switching param to multi_param (without looking to the context)
does not really solve it. You only suppress the warning.
We could still be vulnerable with calls like:
my $hash = { a => multi_param('b'), c => 'd' )
If multi_param b returns ( b1, b2, b3), your hash is 'injected' with b2 => b3,
just the same as param b would have done.
So we should check (before or after this patch) if we are calling params in a
hash context. If so, prepend with scalar.
Redefining methods/routines for lower versions of a module is not the most
elegant solution (from QA perspective). If we could prevent doing so, we
should.
Since we do not need to add calls to multi_param yet and we do not address the
actual vulnerability in this patch, I would propose to not add this
redefinition. We should concentrate on the calls to param in a hash context and
scalarize them. (The warnings in the log show us where these calls are.)
Failed QA
I will also ask for another (QA) opinion on the dev list.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list