Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Imagine the following code in one of your actions:
sub
2009/6/16 Tobias Kremer tobias.kre...@gmail.com:
Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Sergio Salvi wrote:
I've applied both patches into this branch:
http://dev.catalyst.perl.org/svnweb/Catalyst/browse/branches/Catalyst-Plugin-Session/both/
Hi, sorry for the very late followup on this, but it's been noted that
the documentation wasn't adjusted to reflect the changes made.
I
Am 16.06.2009 um 11:11 schrieb Tobias Kremer:
Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Imagine
You are not validating your input. That's all there is to say...
True, but I think that many people are led to believe that their input
is being correctly quoted by DBIC which in most cases it is, but in
this particular case it is not. I'm just trying to safe people from
the consequences of this
From: Tobias Kremer tobias.kre...@gmail.com
Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Imagine the
On Tuesday 16 June 2009 04:11:19 am Tobias Kremer wrote:
To me, this never looked like a potential security threat because
$c-req-param('name') is correctly inserted/quoted via bind
parameters, right? Well, let's see what happens, if we pollute the
query string a bit:
On Tue, Jun 16, 2009 at 1:14 PM, Octavian Rasnitaorasn...@gmail.com wrote:
Try
name = $c-req-params-{name}
I think this was the recommended way, exactly for the reason you described.
Thanks a lot! I didn't know that this was the recommended practice.
Apparently, TIMTOWTDI striked again! :(
Tobias Kremer wrote:
Thanks a lot! I didn't know that this was the recommended practice.
Apparently, TIMTOWTDI striked again! :(
The docs on Catalyst::Request::param don't help to make this (and the
possible consequences of using this method) clear.
If someone would like to volunteer to
All,
Unfortunately nobody has been able to help me with this.
After much more trial and error I have something that almost works.
An extract from the FromFu config looks like:
- type: Hidden
name: a_count
- type: Block
tag: table
attributes:
border: 1
elements:
Using FormFu this can be painful.
http://search.cpan.org/~snafufans/CatalystX-ListFramework-0.5/lib/CatalystX/ListFramework.pmwill
build you pretty tables of data.
hth,
Devin
On Tue, Jun 16, 2009 at 11:03 PM, Wilson Jason jason.wil...@derm.qld.gov.au
wrote:
All,
Unfortunately nobody has
11 matches
Mail list logo