[Catalyst] Input/Parameter Checks

Jonathan Rockway jon at jrock.us
Thu Dec 13 23:42:25 GMT 2007


On Thu, 2007-12-13 at 23:02 +0000, Ash Berlin wrote:
> >  # 2
> >  my $user = $rs->create({
> >      is_admin => 0,
> >      username => $c->req->param('username'),
> >  });
> 
> This comes under "never interpolate *anything* from the user into SQL."

Well, you have to get data into the database somehow.  It goes without
saying that the $rs->create call validates the data.

The issue here is using param(), which returns *a list* in list context.
The thing that => points to is not coerced to scalar context.  So in
this case you're hoping the list only has one element, but you're not
guaranteeing this in any way.  Consider a query string like
username=foo&username=is_admin&username=1.  

Here,

    { username => $req->params('username') } 

would be the same as

    { username => qw/foo is_admin 1/       }

A common mistake.  

This is very subtle and it's probably a security hole lurking in many,
many apps.

Regards,
Jonathan Rockway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20071213/f773aeef/attachment.pgp


More information about the Catalyst mailing list