[Catalyst] Potential query string pollution vulnerability?
Andrew Rodland
arodland at comcast.net
Tue Jun 16 11:19:01 GMT 2009
On Tuesday 16 June 2009 04:11:19 am Tobias Kremer wrote:
> To me, this never looked like a potential security threat because
> $c->req->param('name') is correctly inserted/quoted via bind
> parameters, right? Well, let's see what happens, if we "pollute" the
> query string a bit:
>
> /crashme?name=Foo&name=Bar
>
Using $c->req->param for this kind of purpose (or, if you ask certain people,
for any purpose) is discouraged, and has been discouraged as long as I can
remember, for this reason. Use $c->req->params and validate your input.
(Incidentally, if you'd used $c->req->params->{name} the behavior you would
have gotten would have been "WHERE name='Foo' OR name='Bar'" which can be a
really useful behavior straight out of the box -- but the point stands that
you have to know what your data is, know what your data needs to be, and make
sure that the two are reconcileable before you do anything :)
Andrew
More information about the Catalyst
mailing list