On Wed, Oct 22, 2008 at 2:34 AM, Ovid <[EMAIL PROTECTED]> wrote:
> There's an idea I've toyed with for Perl 6's CGI.pm and I think it might
> prove useful for Catalyst: allow junctions for request parameters. Consider
> the following:
>
> # ?sport=football
> my $params = $c->request->query_parameters;
> # { sport => 'football' }
>
> But if there are multiple paramters:
>
> # ?sport=football;sport=seal%20clubbing
> my $params = $c->request->query_parameters;
> # { sport => [ 'football', 'seal clubbing' ] }
>
> Because multiple parameters are supplied, the data structure changes! All an
> attacker needs to do is is tack on a duplicate parameter to a query string a
> see if the code crashes. Worse, if there are already multiple parameters,
> the attacker can restrict them to a single parameters and you'll likely fail
> when you attempt to dereference:
>
> @ {$params->{sport} }
>
> I think this could be eliminated by using an 'any' junction:
>
> my $sport = $c->request->get_param('sport');
> if ( 'football' eq $sport ) { ... }
>
> That works whether you have one parameter for 'sport' or multiple. Want to
> iterate over them?
>
> foreach my $sport ( $c->request->get_param('sport')->values ) { ... }
>
> Again, that still works whether you have one parameter or several.
>
> The developer no longer needs to write code to detect what data type is
> returned and it's one less bug lurking.
>
> Thoughts?
>
> Cheers,
> Ovid
Not a bad idea, and I tend to wrap this stuff anyway, but then
$c->request doesn't look like a CGI-compat object, which is immensely
helpful when dealing with other code. If it were still API
compatible, I'd be happy to see something like this get into 5.8
-J
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
