There's an idea I've toyed with for Perl 6's CGI.pm and I think it might prove
useful for Catalyst: allow junctions for request parameters. Consider the
following:
# ?sport=football
my $params = $c->request->query_parameters;
# { sport => 'football' }
But if there are multiple paramters:
# ?sport=football;sport=seal%20clubbing
my $params = $c->request->query_parameters;
# { sport => [ 'football', 'seal clubbing' ] }
Because multiple parameters are supplied, the data structure changes! All an
attacker needs to do is is tack on a duplicate parameter to a query string a
see if the code crashes. Worse, if there are already multiple parameters, the
attacker can restrict them to a single parameters and you'll likely fail when
you attempt to dereference:
@ {$params->{sport} }
I think this could be eliminated by using an 'any' junction:
my $sport = $c->request->get_param('sport');
if ( 'football' eq $sport ) { ... }
That works whether you have one parameter for 'sport' or multiple. Want to
iterate over them?
foreach my $sport ( $c->request->get_param('sport')->values ) { ... }
Again, that still works whether you have one parameter or several.
The developer no longer needs to write code to detect what data type is
returned and it's one less bug lurking.
Thoughts?
Cheers,
Ovid
--
Buy the book - http://www.oreilly.com/catalog/perlhks/
Tech blog - http://use.perl.org/~Ovid/journal/
Twitter - http://twitter.com/OvidPerl
Official Perl 6 Wiki - http://www.perlfoundation.org/perl6
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
