Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Imagine the following code in one of your actions:
sub
2009/6/16 Tobias Kremer tobias.kre...@gmail.com:
Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Am 16.06.2009 um 11:11 schrieb Tobias Kremer:
Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Imagine
You are not validating your input. That's all there is to say...
True, but I think that many people are led to believe that their input
is being correctly quoted by DBIC which in most cases it is, but in
this particular case it is not. I'm just trying to safe people from
the consequences of this
From: Tobias Kremer tobias.kre...@gmail.com
Hi all,
I just experienced a nasty case of query string pollution
vulnerability in one of my Catalyst/DBIC apps. I think that the
circumstances under which this applies are not _that_ rare, so I
figured it'd be best to inform the world.
Imagine the
On Tuesday 16 June 2009 04:11:19 am Tobias Kremer wrote:
To me, this never looked like a potential security threat because
$c-req-param('name') is correctly inserted/quoted via bind
parameters, right? Well, let's see what happens, if we pollute the
query string a bit:
On Tue, Jun 16, 2009 at 1:14 PM, Octavian Rasnitaorasn...@gmail.com wrote:
Try
name = $c-req-params-{name}
I think this was the recommended way, exactly for the reason you described.
Thanks a lot! I didn't know that this was the recommended practice.
Apparently, TIMTOWTDI striked again! :(
Tobias Kremer wrote:
Thanks a lot! I didn't know that this was the recommended practice.
Apparently, TIMTOWTDI striked again! :(
The docs on Catalyst::Request::param don't help to make this (and the
possible consequences of using this method) clear.
If someone would like to volunteer to
