[Catalyst] Potential query string pollution vulnerability?

Andrew Rodland arodland at comcast.net
Tue Jun 16 11:19:01 GMT 2009

On Tuesday 16 June 2009 04:11:19 am Tobias Kremer wrote:
> To me, this never looked like a potential security threat because
> $c->req->param('name') is correctly inserted/quoted via bind
> parameters, right? Well, let's see what happens, if we "pollute" the
> query string a bit:
> /crashme?name=Foo&name=Bar
Using $c->req->param for this kind of purpose (or, if you ask certain people, 
for any purpose) is discouraged, and has been discouraged as long as I can 
remember, for this reason. Use $c->req->params and validate your input. 
(Incidentally, if you'd used $c->req->params->{name} the behavior you would 
have gotten would have been "WHERE name='Foo' OR name='Bar'" which can be a 
really useful behavior straight out of the box -- but the point stands that 
you have to know what your data is, know what your data needs to be, and make 
sure that the two are reconcileable before you do anything :)


More information about the Catalyst mailing list