[Koha-bugs] [Bug 15809] versions of CGI < 4.08 do not have multi_param
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Feb 17 18:25:02 CET 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809
Galen Charlton <gmcharlt at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |gmcharlt at gmail.com
--- Comment #10 from Galen Charlton <gmcharlt at gmail.com> ---
So, ->param() starts displaying warnings when evaluated in list context as of
CGI.pm 4.05. ->multi_param() was added in 4.08 as a way of saying "I really
want multiple parameter values, don't make me do { $CGI::LIST_CONTEXT_WARN = 0;
@f = $q->param('foo'); } just to quell the warning."
To deal with the most common exploit scenario, "git grep '=>.*->param'" turns
up ~270 cases where we most likely *don't* want multi_param(); rather, we want
to wrap ->param in scalar(...). I think that should be the first priority.
"git grep '@.*->param'" turns up 332 places in 120 files where a parameter is
intentionally being fed into a list. I'm not keen about monkey-patching a core
module, though I recognize the expediency of it; but if we go that route so
that we can start using ->multi_param() across the board, I think we
*shouldn't* set $CGI::LIST_CONTEXT_WARN. An alternative would be adding a
bunch of "local $CGI::LIST_CONTEXT_WARN = 0;" and making a note to ourselves to
replace that with ->multi_param() once we're past the point where stable Linux
distros ship CGI.pm older than 4.08. We could also do it like this:
Change:
@f = $cgi->param('foo');
To:
@f = Koha::CGI::multi_param($cgi, 'foo');
where Koha::CGI::multi_param looks something like this:
sub multi_param {
my ($cgi, $param) = @_;
local $CGI::LIST_CONTEXT_WARN = 0;
return $cgi->param($param);
}
That way, we're not monkey-patching a core module and we get something that we
can mechanically translate to $cgi->multi_param once we're assured of having a
recent enough version of CGI.pm.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list