Francois Gouget : testbot: Force CGI::param() to scalar context for security. - wine-commits

19 Jun 2017

Module: tools
Branch: master
Commit: e0e43d8cac1e3d64d1c104bc0b49f930b44df305
URL:    http://source.winehq.org/git/tools.git/?a=commit;h=e0e43d8cac1e3d64d1c104bc0...
Author: Francois Gouget fgouget@codeweavers.com
Date:   Mon Jun 19 09:06:49 2017 +0200
testbot: Force CGI::param() to scalar context for security.
Otherwise a call like foo($Page->GetParam("Name")) can end up passing
extra arguments to foo() if the URL contains multiple instances of
'Name'. The situation is even worse if one uses named parameters.
No code depended on being able to get multiple values and the only
place that used CGI:param() to get the list of parameter names is
already using Page::GetParameterNames().
Signed-off-by: Francois Gouget fgouget@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
testbot/lib/ObjectModel/CGI/Page.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 1fb2ca3..50598bf 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -77,7 +77,9 @@ sub GetParamNames($)
=head1 C<GetParam()>
-This thunks to CGI::param() and thus takes the same arguments list.
+This thunks to CGI::param() and thus takes the same arguments list but forces
+the result to scalar context to avoid security issues.
+To get the list of parameter names use GetParamNames().
=back
 =cut
@@ -86,7 +88,7 @@ sub GetParam($@)
 {
   my $self = shift;
-  return $self->{CGIObj}->param(@_);
+  return scalar($self->{CGIObj}->param(@_));
 }
sub CGI($)

    