[Catalyst] Feature Request: Parameter Junctions

Ovid publiustemp-catalyst at yahoo.com
Wed Oct 22 10:34:19 BST 2008

There's an idea I've toyed with for Perl 6's CGI.pm and I think it might prove useful for Catalyst:  allow junctions for request parameters.  Consider the following:

  # ?sport=football
  my $params = $c->request->query_parameters;
  # { sport => 'football' }

But if there are multiple paramters:

  # ?sport=football;sport=seal%20clubbing
  my $params = $c->request->query_parameters;
  # { sport => [ 'football', 'seal clubbing' ] }

Because multiple parameters are supplied, the data structure changes!  All an attacker needs to do is is tack on a duplicate parameter to a query string a see if the code crashes.  Worse, if there are already multiple parameters, the attacker can restrict them to a single parameters and you'll likely fail when you attempt to dereference:

  @ {$params->{sport} }

I think this could be eliminated by using an 'any' junction:

  my $sport = $c->request->get_param('sport');
  if ( 'football' eq $sport ) { ... }

That works whether you have one parameter for 'sport' or multiple.  Want to iterate over them?

  foreach my $sport ( $c->request->get_param('sport')->values ) { ... }

Again, that still works whether you have one parameter or several.

The developer no longer needs to write code to detect what data type is returned and it's one less bug lurking.


Buy the book         - http://www.oreilly.com/catalog/perlhks/
Tech blog            - http://use.perl.org/~Ovid/journal/
Twitter              - http://twitter.com/OvidPerl
Official Perl 6 Wiki - http://www.perlfoundation.org/perl6

More information about the Catalyst mailing list