[Catalyst] Feature Request: Parameter Junctions

Wed Oct 22 15:49:41 BST 2008

On Wed, Oct 22, 2008 at 2:34 AM, Ovid <publiustemp-catalyst at yahoo.com> wrote:
> There's an idea I've toyed with for Perl 6's CGI.pm and I think it might prove useful for Catalyst:  allow junctions for request parameters.  Consider the following:
>
>  # ?sport=football
>  my $params = $c->request->query_parameters;
>  # { sport => 'football' }
>
> But if there are multiple paramters:
>
>  # ?sport=football;sport=seal%20clubbing
>  my $params = $c->request->query_parameters;
>  # { sport => [ 'football', 'seal clubbing' ] }
>
> Because multiple parameters are supplied, the data structure changes!  All an attacker needs to do is is tack on a duplicate parameter to a query string a see if the code crashes.  Worse, if there are already multiple parameters, the attacker can restrict them to a single parameters and you'll likely fail when you attempt to dereference:
>
>  @ {$params->{sport} }
>
> I think this could be eliminated by using an 'any' junction:
>
>  my $sport = $c->request->get_param('sport');
>  if ( 'football' eq $sport ) { ... }
>
> That works whether you have one parameter for 'sport' or multiple.  Want to iterate over them?
>
>  foreach my $sport ( $c->request->get_param('sport')->values ) { ... }
>
> Again, that still works whether you have one parameter or several.
>
> The developer no longer needs to write code to detect what data type is returned and it's one less bug lurking.
>
> Thoughts?
>
> Cheers,
> Ovid

Not a bad idea, and I tend to wrap this stuff anyway, but then
$c->request doesn't look like a CGI-compat object, which is immensely
helpful when dealing with other code.  If it were still API
compatible, I'd be happy to see something like this get into 5.8

-J