2.0 KiB
Thursday, April 9
CGI::Fast and multi_param()
A little while ago, changes were made to Perl's CGI.pm because of a class
of exploits arising from calling param() in list context.
I had code in a wrapper for Display that called param() in list context
deliberately:
# Handle input from FastCGI:
while (my $query = CGI::Fast->new) {
my @params = $query->param('keywords');
print $d->display(@params);
}
In due course, I started getting warnings about calling param() in list context.
They looked sort of like this:
brennen@exuberance 18:46:13 /home/brennen/www (master) ★ perl display.fcgi 2>&1 | head -1
CGI::param called in list context from package main line 38, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/local/share/perl/5.20.1/CGI.pm line 408.
Problematic, since a variable containing that list is exactly what I want. On
googling, I found that in addition to the warning, CGI.pm had been amended to
include multi_param() for the cases where you explicitly want a list.
Ok, cool, I'll use that.
Fast forward to just now. display.fcgi is blowing up on my local machine. Why?
[Thu Apr 09 18:28:29.606663 2015] [fcgid:warn] [pid 13984:tid 140343326992128] [client 127.0.0.1:41335] mod_fcgid: stderr: Undefined subroutine CGI::Fast::multi_param
Well, ok, I upgraded Ubuntu a while back. Maybe I need to reinstall CGI::Fast from CPAN because the Ubuntu packages aren't up to date. So:
$ sudo cpan -i CGI::Fast
No dice. What am I missing here? Oh, right. CGI::Fast inherits from CGI.pm.
$ sudo cpan -i CGI
Golden.
Granted, I should probably stop using CGI.pm altogether.