|
|
- <h1>Thursday, April 9</h1>
-
- CGI::Fast and multi_param()
- ---------------------------
-
- A little while ago, changes were made to [Perl's CGI.pm][1] because of a [class
- of exploits][2] arising from calling `param()` in list context.
-
- I had code in a wrapper for [Display][3] that called `param()` in list context
- deliberately:
-
- # Handle input from FastCGI:
- while (my $query = CGI::Fast->new) {
- my @params = $query->param('keywords');
- print $d->display(@params);
- }
-
- In due course, I started getting warnings about calling `param()` in list context.
- They looked sort of like this:
-
- brennen@exuberance 18:46:13 /home/brennen/www (master) ★ perl display.fcgi 2>&1 | head -1
- CGI::param called in list context from package main line 38, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/share/perl/5.20.1/CGI.pm line 408.
-
- Problematic, since a variable containing that list is _exactly what I want_. On
- googling, I found that in addition to the warning, CGI.pm had been amended to
- include `multi_param()` for [the cases][4] where you explicitly want a list.
- Ok, cool, I'll use that.
-
- Fast forward to just now. `display.fcgi` is blowing up on my local machine. Why?
-
- [Thu Apr 09 18:28:29.606663 2015] [fcgid:warn] [pid 13984:tid 140343326992128] [client 127.0.0.1:41335] mod_fcgid: stderr: Undefined subroutine CGI::Fast::multi_param
-
- Well, ok, I upgraded Ubuntu a while back. Maybe I need to reinstall CGI::Fast
- from CPAN because the Ubuntu packages aren't up to date. So:
-
- $ sudo cpan -i CGI::Fast
-
- No dice. What am I missing here? Oh, right. CGI::Fast inherits from CGI.pm.
-
- $ sudo cpan -i CGI
-
- Golden.
-
- Granted, I should probably stop using CGI.pm altogether.
-
- [1]: http://search.cpan.org/~leejo/CGI-4.14/lib/CGI.pod
- [2]: http://seclists.org/vulnwatch/2006/q4/6
- [3]: https://github.com/brennen/display
- [4]: http://search.cpan.org/~leejo/CGI-4.14/lib/CGI.pod#Fetching_the_value_or_values_of_a_single_named_parameter:
|