https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809
Bug ID: 15809
Summary: versions of CGI < 4.08 do not have multi_param
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: ASSIGNED
Severity: normal
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
On debian Jessie, the CGI version is >= 4.08
Since this version, the param method raise a warning "CGI::param called in list
context".
Indeed, it can cause vulnerability if called in list context
https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
There is a long journey to get rid of these warnings. First I suggest to
redefine the multi_param method when the CGI version installed is < 4.08, it
will allow us to move the wrong ->param calls to ->multi_param without waiting
for everybody to upgrade.
The different ways to call these 2 methods are:
my $foo = $cgi->param('foo'); # OK
my @foo = $cgi->param('foo'); # NOK, will raise the warning
my @foo = $cgi->multi_param('foo'); #OK
$template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
and vulnerable
$template->param( foo => scalar $cgi->param('foo') ); # OK
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
