brennen
/
workings-book
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
a technical notebook
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
175 Commits
1 Branch
1.2 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
workings-book/entries/2015-04-09.md

49 lines
2.0 KiB
Raw Permalink Normal View History

CGI::Fast and multi_param()
9 years ago
 
  1. <h1>Thursday, April  9</h1>
  2. 

  3. CGI::Fast and multi_param()
  4. ---------------------------
  5. 

  6. A little while ago, changes were made to [Perl's CGI.pm][1] because of a [class
  7. of exploits][2] arising from calling `param()` in list context.
  8. 

  9. I had code in a wrapper for [Display][3] that called `param()` in list context
  10. deliberately:
  11. 

  12.     # Handle input from FastCGI:
  13.     while (my $query = CGI::Fast->new) {
  14.       my @params = $query->param('keywords');
  15.       print $d->display(@params);
  16.     }
  17. 

  18. In due course, I started getting warnings about calling `param()` in list context.
  19. They looked sort of like this:
  20. 

  21.     brennen@exuberance 18:46:13 /home/brennen/www (master) ★ perl display.fcgi 2>&1 | head -1
  22.     CGI::param called in list context from package main line 38, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/share/perl/5.20.1/CGI.pm line 408.
  23. 

  24. Problematic, since a variable containing that list is _exactly what I want_. On
  25. googling, I found that in addition to the warning, CGI.pm had been amended to
  26. include `multi_param()` for [the cases][4] where you explicitly want a list.
  27. Ok, cool, I'll use that.
  28. 

  29. Fast forward to just now. `display.fcgi` is blowing up on my local machine. Why?
  30. 

  31.     [Thu Apr 09 18:28:29.606663 2015] [fcgid:warn] [pid 13984:tid 140343326992128] [client 127.0.0.1:41335] mod_fcgid: stderr: Undefined subroutine CGI::Fast::multi_param
  32. 

  33. Well, ok, I upgraded Ubuntu a while back. Maybe I need to reinstall CGI::Fast
  34. from CPAN because the Ubuntu packages aren't up to date.  So:
  35. 

  36.     $ sudo cpan -i CGI::Fast
  37. 

  38. No dice. What am I missing here?  Oh, right.  CGI::Fast inherits from CGI.pm.
  39. 

  40.     $ sudo cpan -i CGI
  41. 

  42. Golden.
  43. 

  44. Granted, I should probably stop using CGI.pm altogether.
  45. 

  46. [1]: http://search.cpan.org/~leejo/CGI-4.14/lib/CGI.pod
  47. [2]: http://seclists.org/vulnwatch/2006/q4/6
  48. [3]: https://github.com/brennen/display
  49. [4]: http://search.cpan.org/~leejo/CGI-4.14/lib/CGI.pod#Fetching_the_value_or_values_of_a_single_named_parameter: