[Koha-bugs] [Bug 15809] versions of CGI < 4.08 do not have multi_param

Wed Feb 17 13:57:34 CET 2016

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809

Marcel de Rooy <m.de.rooy at rijksmuseum.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Failed QA
         QA Contact|testopia at bugs.koha-communit |m.de.rooy at rijksmuseum.nl
                   |y.org                       |

--- Comment #5 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
I am having the impression that we do not completely tackle the problem (read
vulnerability given) here.
Because just switching param to multi_param (without looking to the context)
does not really solve it. You only suppress the warning.

We could still be vulnerable with calls like: 
my $hash = { a => multi_param('b'), c => 'd' )
If multi_param b returns ( b1, b2, b3), your hash is 'injected' with b2 => b3,
just the same as param b would have done.

So we should check (before or after this patch) if we are calling params in a
hash context. If so, prepend with scalar.

Redefining methods/routines for lower versions of a module is not the most
elegant solution (from QA perspective). If we could prevent doing so, we
should. 
Since we do not need to add calls to multi_param yet and we do not address the
actual vulnerability in this patch, I would propose to not add this
redefinition. We should concentrate on the calls to param in a hash context and
scalarize them. (The warnings in the log show us where these calls are.) 

Failed QA
I will also ask for another (QA) opinion on the dev list.

-- 
You are receiving this mail because:
You are watching all bug changes.