[Catalyst] Input/Parameter Checks
Jonathan Rockway
jon at jrock.us
Thu Dec 13 23:42:25 GMT 2007
On Thu, 2007-12-13 at 23:02 +0000, Ash Berlin wrote:
> > # 2
> > my $user = $rs->create({
> > is_admin => 0,
> > username => $c->req->param('username'),
> > });
>
> This comes under "never interpolate *anything* from the user into SQL."
Well, you have to get data into the database somehow. It goes without
saying that the $rs->create call validates the data.
The issue here is using param(), which returns *a list* in list context.
The thing that => points to is not coerced to scalar context. So in
this case you're hoping the list only has one element, but you're not
guaranteeing this in any way. Consider a query string like
username=foo&username=is_admin&username=1.
Here,
{ username => $req->params('username') }
would be the same as
{ username => qw/foo is_admin 1/ }
A common mistake.
This is very subtle and it's probably a security hole lurking in many,
many apps.
Regards,
Jonathan Rockway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20071213/f773aeef/attachment.pgp
More information about the Catalyst
mailing list