Subject: | CGI.pm warnings about param() on newer CGI.pms |
In response to the bugzilla bugs a few weeks back, CGI.pm in 4.05 and later started warning if you call param() in list context.
https://metacpan.org/changes/distribution/CGI
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
This is the relevant warning
CGI::param called in list context from package HTML::Mason::Utils line 48, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter"
Relevant code
my @values = map { $q->$_($key) } @methods;
$args{$key} = @values == 1 ? $values[0] : \@values;
I don't see how this is vulnerable, which means HTML::Mason needs to turn on the "stop that" flag for CGI.pm
https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
I've attached a trivial test that passes RT's test suite locally and quiets warnings in normal usage.
It also passes dzil test for HTML-Mason, except for the author-live tests which I'm not set up to run.
This came up via Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765477
-kevin
Subject: | 0001-Ask-CGI-to-not-warn-about-param-in-list-context.patch |
From 0891bd1f51df3a76b083df9052092837c4f28fe7 Mon Sep 17 00:00:00 2001
From: Kevin Falcone <falcone@bestpractical.com>
Date: Wed, 15 Oct 2014 15:28:09 -0400
Subject: [PATCH] Ask CGI to not warn about param() in list context.
Mason protects from the class of param() bugs which allow users to sneak in
arguments as described here:
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
Since CGI.pm 4.05 the only way to quiet this warning is by setting their
variable as documented here
https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
Mason has always allowed foo=1&foo=2 to end up available in a template
as @foo = (1,2) so retain backcompat.
---
lib/HTML/Mason/Utils.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/HTML/Mason/Utils.pm b/lib/HTML/Mason/Utils.pm
index ef9c5b8..c3e814e 100644
--- a/lib/HTML/Mason/Utils.pm
+++ b/lib/HTML/Mason/Utils.pm
@@ -42,6 +42,7 @@ sub cgi_request_args
foreach my $key ( map { $q->$_() } @methods ) {
next if exists $args{$key};
+ local $CGI::LIST_CONTEXT_WARN = 0;
my @values = map { $q->$_($key) } @methods;
$args{$key} = @values == 1 ? $values[0] : \@values;
}
--
1.9.3