[Catalyst] Re: Feature Request: Parameter Junctions
Aristotle Pagaltzis
pagaltzis at gmx.de
Wed Oct 22 21:06:50 BST 2008
* Ovid <publiustemp-catalyst at yahoo.com> [2008-10-22 11:40]:
> Because multiple parameters are supplied, the data structure
> changes! All an attacker needs to do is is tack on a duplicate
> parameter to a query string a see if the code crashes.
And if it does then what? The problem is largely benign,
actually, from a security perspective. (Of course, all types of
bugs can cause an existing potential security hole to manifest.)
The fact that the app crashes is still a problem, though. That
shouldn’t happen.
That said:
> There's an idea I've toyed with for Perl 6's CGI.pm and I think
> it might prove useful for Catalyst: allow junctions for
> request parameters.
I don’t see the point of junctions here. Feel free to write
Catalyst::Request::Junctional :-) but I don’t think that a
junction-based API belongs in the Cat core. Maybe in Catasixt,
but not in Cat-on-Perl 5.
I outlined a proposal a long time ago of two different methods
like the current `param`, one which always returned a single
value (the last one if there are multiple) and one which always
returned an arrayref. Then there could be no confusion and code
would always get exactly what it was written to expect. Matt
agreed but punted to volunteers, and none stepped up, me
included, so it has yet to happen.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list