Bug #118742 for CGI-Ajax: fix for CGI::param() warning

Recent releases of CGI, such as CGI-4.35, throw off this warning when CGI::param() is called in list context: warn "CGI::param called in list context from $filename line $line, this can lead to vulnerabilities. " . 'See the warning in "Fetching the value or values of a single named parameter"'; The CGI::Ajax::getparam() routine triggers this warning, even though there is no vulnerability at the location of the offending call. It's annoying to have it constantly show up in error logs. So it makes sense to fix the CGI::Ajax code to call CGI::multi_param() instead if it is available. This can be done with the following simple fix (also attached here as CGI_Ajax.pm.patch), which is backward-compatible to earlier CGI releases not containing the multi_param() call: --- CGI/Ajax.pm.orig 2008-10-08 11:13:34.000000000 -0700 +++ CGI/Ajax.pm 2016-09-28 16:01:32.344698518 -0700 @@ -482,7 +482,7 @@ sub getparam { my ( $self, $name ) = @_; my $cgi = $self->cgi(); - my @v = $cgi->param($name); + my @v = $cgi->can('multi_param') ? $cgi->multi_param($name) : $cgi->param($name); if ( @v == 1 and !defined $v[0] ) { my $query = $cgi->isa('CGI::Application'); @v = $cgi->query()->param($name) if defined $query; Relevant Web references: http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/ http://search.cpan.org/~leejo/CGI-4.33/lib/CGI.pod#Fetching_the_value_or_values_of_a_single_named_parameter

--- CGI/Ajax.pm.orig 2008-10-08 11:13:34.000000000 -0700 +++ CGI/Ajax.pm 2016-09-28 16:01:32.344698518 -0700 @@ -482,7 +482,7 @@ sub getparam { my ( $self, $name ) = @_; my $cgi = $self->cgi(); - my @v = $cgi->param($name); + my @v = $cgi->can('multi_param') ? $cgi->multi_param($name) : $cgi->param($name); if ( @v == 1 and !defined $v[0] ) { my $query = $cgi->isa('CGI::Application'); @v = $cgi->query()->param($name) if defined $query;