[Catalyst] Feature Request: Parameter Junctions
Matt S Trout
dbix-class at trout.me.uk
Thu Nov 13 19:39:44 GMT 2008
On Wed, Oct 22, 2008 at 02:34:19AM -0700, Ovid wrote:
> There's an idea I've toyed with for Perl 6's CGI.pm and I think it might prove useful for Catalyst: allow junctions for request parameters. Consider the following:
>
> # ?sport=football
> my $params = $c->request->query_parameters;
> # { sport => 'football' }
>
> But if there are multiple paramters:
>
> # ?sport=football;sport=seal%20clubbing
> my $params = $c->request->query_parameters;
> # { sport => [ 'football', 'seal clubbing' ] }
>
> Because multiple parameters are supplied, the data structure changes! All an attacker needs to do is is tack on a duplicate parameter to a query string a see if the code crashes. Worse, if there are already multiple parameters, the attacker can restrict them to a single parameters and you'll likely fail when you attempt to dereference:
>
> @ {$params->{sport} }
>
> I think this could be eliminated by using an 'any' junction:
>
> my $sport = $c->request->get_param('sport');
my $sport = Perl6::Junction::any($c->req->param('sport'));
TADA.
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
More information about the Catalyst
mailing list