From: "Tobias Kremer" <tobias.kre...@gmail.com>
Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Imagine the following code in one of your actions:
sub crashme :Local {
my( $self, $c ) = @_;
my $result = [ $c->model( 'Foo' )->search( {
-or => [
name => $c->req->param( 'name' )
Try:
name => $c->req->params->{name}
I think this was the recommended way, exactly for the reason you described.
Octavian
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
