[Koha-bugs] [Bug 15809] versions of CGI < 4.08 do not have multi_param

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Feb 17 18:25:02 CET 2016 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809

Galen Charlton <gmcharlt at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gmcharlt at gmail.com

--- Comment #10 from Galen Charlton <gmcharlt at gmail.com> ---
So, ->param() starts displaying warnings when evaluated in list context as of
CGI.pm 4.05.  ->multi_param() was added in 4.08 as a way of saying "I really
want multiple parameter values, don't make me do { $CGI::LIST_CONTEXT_WARN = 0;
@f = $q->param('foo'); } just to quell the warning."

To deal with the most common exploit scenario, "git grep '=>.*->param'" turns
up ~270 cases where we most likely *don't* want multi_param(); rather, we want
to wrap ->param in scalar(...).  I think that should be the first priority.

"git grep '@.*->param'" turns up 332 places in 120 files where a parameter is
intentionally being fed into a list.  I'm not keen about monkey-patching a core
module, though I recognize the expediency of it; but if we go that route so
that we can start using ->multi_param() across the board, I think we
*shouldn't* set $CGI::LIST_CONTEXT_WARN.  An alternative would be adding a
bunch of "local $CGI::LIST_CONTEXT_WARN = 0;" and making a note to ourselves to
replace that with ->multi_param() once we're past the point where stable Linux
distros ship CGI.pm older than 4.08.  We could also do it like this:

Change:

   @f = $cgi->param('foo');

To:

  @f = Koha::CGI::multi_param($cgi, 'foo');

where Koha::CGI::multi_param looks something like this:

sub multi_param {
    my ($cgi, $param) = @_;
    local $CGI::LIST_CONTEXT_WARN = 0;
    return $cgi->param($param);  
}

That way, we're not monkey-patching a core module and we get something that we
can mechanically translate to $cgi->multi_param once we're assured of having a
recent enough version of CGI.pm.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list