[Koha-bugs] [Bug 24788] Koha::Object->store calls column names as methods, relying on AUTOLOAD, with possibly surprising results

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24788

Marcel de Rooy <m.de.rooy at rijksmuseum.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |m.de.rooy at rijksmuseum.nl

--- Comment #3 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
(In reply to David Gustafsson from comment #0)
> Koha::Object->store accesse sDBIx::Class::Row columns as $self->$col, using
> AUTOLOAD, which in effect makes column names and methods share the same
> namespace. I'm no security expert, but I think this should be considered bad
> practice and could be an attack vector. It also has huge potential for
> causing strange bugs, which happened in Bug 14957 where a column is named
> "delete", calling the "delete" method instead of fetching the column value
> as intended. Here is patch to fix this using a separate namespace for
> setting/getting columns through get_column/set_column instead.

In this case it comes from:
my $columns_info = $self->_result->result_source->columns_info;
just a few lines earlier.
So I guess the security argument does not really apply here. And the "huge
potential for bugs" is a bit overkill.
But the change looks good to me :)

-- 
You are receiving this mail because:
You are watching all bug changes.