https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15809
Marcel de Rooy <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA QA Contact|[email protected] |[email protected] |y.org | --- Comment #5 from Marcel de Rooy <[email protected]> --- I am having the impression that we do not completely tackle the problem (read vulnerability given) here. Because just switching param to multi_param (without looking to the context) does not really solve it. You only suppress the warning. We could still be vulnerable with calls like: my $hash = { a => multi_param('b'), c => 'd' ) If multi_param b returns ( b1, b2, b3), your hash is 'injected' with b2 => b3, just the same as param b would have done. So we should check (before or after this patch) if we are calling params in a hash context. If so, prepend with scalar. Redefining methods/routines for lower versions of a module is not the most elegant solution (from QA perspective). If we could prevent doing so, we should. Since we do not need to add calls to multi_param yet and we do not address the actual vulnerability in this patch, I would propose to not add this redefinition. We should concentrate on the calls to param in a hash context and scalarize them. (The warnings in the log show us where these calls are.) Failed QA I will also ask for another (QA) opinion on the dev list. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
