https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24788
Marcel de Rooy <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #3 from Marcel de Rooy <[email protected]> --- (In reply to David Gustafsson from comment #0) > Koha::Object->store accesse sDBIx::Class::Row columns as $self->$col, using > AUTOLOAD, which in effect makes column names and methods share the same > namespace. I'm no security expert, but I think this should be considered bad > practice and could be an attack vector. It also has huge potential for > causing strange bugs, which happened in Bug 14957 where a column is named > "delete", calling the "delete" method instead of fetching the column value > as intended. Here is patch to fix this using a separate namespace for > setting/getting columns through get_column/set_column instead. In this case it comes from: my $columns_info = $self->_result->result_source->columns_info; just a few lines earlier. So I guess the security argument does not really apply here. And the "huge potential for bugs" is a bit overkill. But the change looks good to me :) -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
