Skip Menu |

This queue is for tickets about the Data-FormValidator CPAN distribution.

Maintainer(s)' notes

This is the bug queue for Data::FormValidator.

Report information
The Basics
Id: 100408
Status: open
Priority: 0/
Queue: Data-FormValidator
People
Owner: Nobody in particular
Requestors: augustin [...] heidenhain.de
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Nov 17 09:59:41 2014 augustin [...] heidenhain.de - Ticket created
Subject: Bug: Data-FormValidator->Results.pm
Date: Mon, 17 Nov 2014 15:59:23 +0100
To: "bug-Data-FormValidator [...] rt.cpan.org" <bug-Data-FormValidator [...] rt.cpan.org>
From: Augustin Heinz-Werner Dr. <augustin [...] heidenhain.de>
according to https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single- named-parameter I've changed line 1074 of Results.pm in your Module Data::FormValidator from @v = $data->param($k); to @v = scalar $data->param($k); Otherwise I get entries in my error log files such as CGI::param called in list context from package Data::FormValidator::Results line 1076, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at <path>/CGI.pm line 436 Kind regards, HW Augustin Show quoted text
-----Ursprüngliche Nachricht----- Von: Mark Stosberg [mailto:mark@stosberg.com] Gesendet: Freitag, 14. November 2014 14:51 An: Augustin Heinz-Werner Dr. Betreff: Re: Data-FormValidator->Results.pm Thanks, Please open a bug report about this. We do want to avoid the warning, but we are intentionally get back multiple values, so we need to use the new method added to CGI.pm which returns multiple values, and bump the dependency on the version of CGI.pm required. I'm not actively using the module anymore (I got a new job programming JavaScript), but I will see that the bug report gets attended to. Mark On Fri, Nov 14, 2014, at 12:51 AM, Augustin Heinz-Werner Dr. wrote:
> Dear Mark, > according to > https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single- > named-parameter I've changed line 1074 of Results.pm in your Module > Data::FormValidator from > @v = $data->param($k); to > @v = scalar $data->param($k); > > Otherwise I get entries in my error log files such as CGI::param > called in list context from package Data::FormValidator::Results line > 1076, this can lead to vulnerabilities. > See the warning in "Fetching the value or values of a single named > parameter" at <path>/CGI.pm line 436 > > Maybe this is of interest to you. > > Kind regards, > HW Augustin > > ------------------------------------------------------------ > mailto:augustin@heidenhain.de > tel.: +49 8669 31 2263 > fax: +49 8669 32 2263 > ------------------------------------------------------------ > > DR. JOHANNES HEIDENHAIN GmbH > Dr.-Johannes-Heidenhain-Str. 5 > 83301 Traunreut, Deutschland > http://www.heidenhain.de > > > > ---------------------------------------------------------------------- > -------------------------------- > Registergericht: Traunstein / Registry Court: HRB 275 - Sitz / Head > Office: Traunreut > Aufsichtsratsvorsitzender / Chairman of Supervisory Board: Rainer > Burkhard Geschäftsführung / Management Board: Thomas Sesselmann > (Vorsitzender / Chairman), Michael Grimm > > E-Mail Haftungsausschluss / E-Mail Disclaimer: > http://www.heidenhain.de/disclaimer
  Wed Jan 25 22:17:39 2017 DFARRELL [...] cpan.org - Correspondence added
On Mon Nov 17 09:59:41 2014, augustin@heidenhain.de wrote: Show quoted text
> according to > https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single- > named-parameter I've changed line 1074 of Results.pm in your Module > Data::FormValidator from > @v = $data->param($k); to > @v = scalar $data->param($k); > > Otherwise I get entries in my error log files such as CGI::param > called in list context from package Data::FormValidator::Results line > 1076, this can lead to vulnerabilities. > See the warning in "Fetching the value or values of a single named > parameter" at <path>/CGI.pm line 436 > > Kind regards,
Thanks for this, I've used the CGI recommended method, "multi_param" to the fork of this repo: https://github.com/dnmfarrell/Data-FormValidator/commit/197603811d456b517b0d5fd5084956dbf69aaa4e N.B it's still insecure though :-( Show quoted text
> HW Augustin > > -----Ursprüngliche Nachricht----- > Von: Mark Stosberg [mailto:mark@stosberg.com] > Gesendet: Freitag, 14. November 2014 14:51 > An: Augustin Heinz-Werner Dr. > Betreff: Re: Data-FormValidator->Results.pm > > Thanks, > > Please open a bug report about this. > > We do want to avoid the warning, but we are intentionally get back > multiple values, so we need to use the new method added to CGI.pm > which returns multiple values, and bump the dependency on the version > of CGI.pm required. > > I'm not actively using the module anymore (I got a new job programming > JavaScript), but I will see that the bug report gets attended to. > > Mark > > On Fri, Nov 14, 2014, at 12:51 AM, Augustin Heinz-Werner Dr. wrote:
> > Dear Mark, > > according to > > https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a- > > single- > > named-parameter I've changed line 1074 of Results.pm in your Module > > Data::FormValidator from > > @v = $data->param($k); to > > @v = scalar $data->param($k); > > > > Otherwise I get entries in my error log files such as CGI::param > > called in list context from package Data::FormValidator::Results line > > 1076, this can lead to vulnerabilities. > > See the warning in "Fetching the value or values of a single named > > parameter" at <path>/CGI.pm line 436 > > > > Maybe this is of interest to you. > > > > Kind regards, > > HW Augustin > > > > ------------------------------------------------------------ > > mailto:augustin@heidenhain.de > > tel.: +49 8669 31 2263 > > fax: +49 8669 32 2263 > > ------------------------------------------------------------ > > > > DR. JOHANNES HEIDENHAIN GmbH > > Dr.-Johannes-Heidenhain-Str. 5 > > 83301 Traunreut, Deutschland > > http://www.heidenhain.de > > > > > > > > ---------------------------------------------------------------------- > > -------------------------------- > > Registergericht: Traunstein / Registry Court: HRB 275 - Sitz / Head > > Office: Traunreut > > Aufsichtsratsvorsitzender / Chairman of Supervisory Board: Rainer > > Burkhard Geschäftsführung / Management Board: Thomas Sesselmann > > (Vorsitzender / Chairman), Michael Grimm > > > > E-Mail Haftungsausschluss / E-Mail Disclaimer: > > http://www.heidenhain.de/disclaimer
  Wed Jan 25 22:17:39 2017 The RT System itself - Status changed from 'new' to 'open'