[koha-commits] main Koha release repository branch master updated. v3.22.00-930-g94dde6b

Git repo owner gitmaster at git.koha-community.org
Wed Mar 23 00:16:36 CET 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  94dde6b48d6e20a5260ea49f9b98ec884c2c25b5 (commit)
      from  08eabd2b9688d8394f07af118beabb3980b0b1d0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 94dde6b48d6e20a5260ea49f9b98ec884c2c25b5
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Feb 12 11:32:02 2016 +0000

    Bug 15809: Redefine multi_param is CGI < 4.08 is used
    
    On debian Jessie, the CGI version is >= 4.08
    Since this version, the param method raise a warning
    "CGI::param called in list context".
    Indeed, it can cause vulnerability if called in list context
    
    https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
    http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
    
    There is a long journey to get rid of these warnings.
    First I suggest to redefine the multi_param method when the CGI version
     installed is < 4.08, it will allow us to move the wrong ->param calls to
     ->multi_param without waiting for everybody to upgrade.
    
    The different ways to call these 2 methods are:
    
    my $foo = $cgi->param('foo'); # OK
    
    my @foo = $cgi->param('foo'); # NOK, will raise the warning
    my @foo = $cgi->multi_param('foo'); #OK
    
    $template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
                                                   # and vulnerable
    $template->param( foo => scalar $cgi->param('foo') ); # OK
    
    Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Tested a call to multi_param with CGI < 4.08.
    With reference to the comments on Bugzilla, this workaround is arguable,
    but provides a base to move to multi_param. If we come up with a better
    solution, it should be easy to adjust.
    
    Signed-off-by: Brendan Gallagher brendan at bywatersolutions.com

-----------------------------------------------------------------------

Summary of changes:
 C4/Context.pm |    9 +++++++++
 1 file changed, 9 insertions(+)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list