[Catalyst] Feature Request: Parameter Junctions

Matt S Trout dbix-class at trout.me.uk
Thu Nov 13 19:39:44 GMT 2008

On Wed, Oct 22, 2008 at 02:34:19AM -0700, Ovid wrote:
> There's an idea I've toyed with for Perl 6's CGI.pm and I think it might prove useful for Catalyst:  allow junctions for request parameters.  Consider the following:
>   # ?sport=football
>   my $params = $c->request->query_parameters;
>   # { sport => 'football' }
> But if there are multiple paramters:
>   # ?sport=football;sport=seal%20clubbing
>   my $params = $c->request->query_parameters;
>   # { sport => [ 'football', 'seal clubbing' ] }
> Because multiple parameters are supplied, the data structure changes!  All an attacker needs to do is is tack on a duplicate parameter to a query string a see if the code crashes.  Worse, if there are already multiple parameters, the attacker can restrict them to a single parameters and you'll likely fail when you attempt to dereference:
>   @ {$params->{sport} }
> I think this could be eliminated by using an 'any' junction:
>   my $sport = $c->request->get_param('sport');

my $sport = Perl6::Junction::any($c->req->param('sport'));


      Matt S Trout       Need help with your Catalyst or DBIx::Class project?
   Technical Director                    http://www.shadowcat.co.uk/catalyst/
 Shadowcat Systems Ltd.  Want a managed development or deployment platform?
http://chainsawblues.vox.com/            http://www.shadowcat.co.uk/servers/

More information about the Catalyst mailing list