https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15747
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #18 from David Cook <[email protected]> --- Jonathan's patch looks good - provided that $in->{'query'}->param('auth_forwarded_hash') is a single value and not a multi value. (I assume that it is a single value.) I'd like to clarify one thing though. The warning "Do not use CGI->param in list context" is not strictly necessary. The problem isn't with CGI->param() in list context per se but rather with CGI->param("foo") in list context. I'm using "my @param_names = CGI->param()" elsewhere and it doesn't generate warnings. It only generates warnings if you're passing the method an argument, as it introduces some ambiguity and the possibility of buggy behaviour. Here's the example from CGI: my %user_info = ( id => 1, name => $query->param('name'), ); In theory, someone could submit multiple "name" arguments, so the above could actually be interpolated like this: my %user_info = ( id => 1, name => "bruce", "wayne", "clark", "kent" ); If you run the code with that list as the value for "name", you'll get the following hash after interpolation: 'id' => 1, 'name' => 'bruce', 'kent' => undef, 'wayne' => 'clark' That's definitely a vulnerability. So if you know that you only have one "name", you can use "scalar $query->param('name')". However, if you know that you have multiple names, but don't want to wind up with a mangled hash, I think you should be able to do the following: my %user_info = ( id => 1, name => [$query->param('name')], ); That should give you the following: 'id' => 1, 'name' => [ 'bruce', 'wayne', 'clark', 'kent' ] Of course, I think you'd still get the warning even if you did $query->param('name'), which is why CGI->multi_param probably makes more sense as per https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
