Thursday, April 9

CGI::Fast and multi_param() --------------------------- A little while ago, changes were made to [Perl's CGI.pm][1] because of a [class of exploits][2] arising from calling `param()` in list context. I had code in a wrapper for [Display][3] that called `param()` in list context deliberately: # Handle input from FastCGI: while (my $query = CGI::Fast->new) { my @params = $query->param('keywords'); print $d->display(@params); } In due course, I started getting warnings about calling `param()` in list context. They looked sort of like this: brennen@exuberance 18:46:13 /home/brennen/www (master) ★ perl display.fcgi 2>&1 | head -1 CGI::param called in list context from package main line 38, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/share/perl/5.20.1/CGI.pm line 408. Problematic, since a variable containing that list is _exactly what I want_. On googling, I found that in addition to the warning, CGI.pm had been amended to include `multi_param()` for [the cases][4] where you explicitly want a list. Ok, cool, I'll use that. Fast forward to just now. `display.fcgi` is blowing up on my local machine. Why? [Thu Apr 09 18:28:29.606663 2015] [fcgid:warn] [pid 13984:tid 140343326992128] [client 127.0.0.1:41335] mod_fcgid: stderr: Undefined subroutine CGI::Fast::multi_param Well, ok, I upgraded Ubuntu a while back. Maybe I need to reinstall CGI::Fast from CPAN because the Ubuntu packages aren't up to date. So: $ sudo cpan -i CGI::Fast No dice. What am I missing here? Oh, right. CGI::Fast inherits from CGI.pm. $ sudo cpan -i CGI Golden. Granted, I should probably stop using CGI.pm altogether. [1]: http://search.cpan.org/~leejo/CGI-4.14/lib/CGI.pod [2]: http://seclists.org/vulnwatch/2006/q4/6 [3]: https://github.com/brennen/display [4]: http://search.cpan.org/~leejo/CGI-4.14/lib/CGI.pod#Fetching_the_value_or_values_of_a_single_named_parameter: