Koha/C4
Jonathan Druart 94dde6b48d Bug 15809: Redefine multi_param is CGI < 4.08 is used
On debian Jessie, the CGI version is >= 4.08
Since this version, the param method raise a warning
"CGI::param called in list context".
Indeed, it can cause vulnerability if called in list context

https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/

There is a long journey to get rid of these warnings.
First I suggest to redefine the multi_param method when the CGI version
 installed is < 4.08, it will allow us to move the wrong ->param calls to
 ->multi_param without waiting for everybody to upgrade.

The different ways to call these 2 methods are:

my $foo = $cgi->param('foo'); # OK

my @foo = $cgi->param('foo'); # NOK, will raise the warning
my @foo = $cgi->multi_param('foo'); #OK

$template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
                                               # and vulnerable
$template->param( foo => scalar $cgi->param('foo') ); # OK

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested a call to multi_param with CGI < 4.08.
With reference to the comments on Bugzilla, this workaround is arguable,
but provides a base to move to multi_param. If we come up with a better
solution, it should be easy to adjust.

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-03-22 23:23:39 +00:00
..
AuthoritiesMarc
Barcodes
Bookseller
ClassSortRoutine
Creators Bug 14468: Remove warnings when creating Labels 2015-10-27 10:12:32 -03:00
External
Form Bug 15099: Move admin/categorie.pl to admin/categories.pl 2015-12-30 16:36:41 +00:00
Heading
ILSDI
Installer Bug 14168 - enhance streaming cataloging to include youtube 2016-03-02 00:40:00 +00:00
Labels Bug 14781: Creation of barcode types 2of5 not functional 2015-11-05 10:31:46 -03:00
Linker
Members Bug 15163: Do not erase patron attributes if limited to another library 2016-03-21 16:56:37 +00:00
OAI
Output
Patroncards
Reports Bug 15800: Koha::AuthorisedValues - Remove C4::Koha::IsAuthorisedValueCategory 2016-03-02 03:54:16 +00:00
Search Bug 10933: (follow-up) fix the previous patch to work with master 2015-10-27 11:03:03 -03:00
Serials
SIP Bug 13871: [QA Follow-up] Add $server for FID_SCREEN_MSG 2016-03-07 17:22:21 +00:00
Utils Bug 15285: Update common files 2016-02-24 00:02:49 +00:00
Accounts.pm Bug 14402: Make purge_zero_balance_fees() delete fees with NULL balance. 2015-11-09 14:58:51 -03:00
Acquisition.pm Bug 5404: Move the test to a new IsMarcStructureInternal sub 2016-03-07 17:30:09 +00:00
Auth.pm Bug 4941: Remove the singleBranchMode system preference 2016-02-26 12:13:09 +00:00
Auth_cas_servers.yaml.orig
Auth_with_cas.pm
Auth_with_ldap.pm Bug 15163: Do not erase patron attributes if limited to another library 2016-03-21 16:56:37 +00:00
Auth_with_shibboleth.pm
AuthoritiesMarc.pm Bug 15358: Fix authorities merge 2016-02-03 23:03:33 +00:00
BackgroundJob.pm
Barcodes.pm
Biblio.pm Bug 15955: Tuning function 'New child record' for Unimarc 205$a -> 461$e 2016-03-11 21:55:24 +00:00
Bookseller.pm
Boolean.pm
Branch.pm Bug 15629: Koha::Libraries - Remove GetBranchInfo 2016-02-24 03:55:07 +00:00
Breeding.pm
Budgets.pm Bug 15084: Remove C4::Budgets::ConvertCurrency 2016-03-03 20:39:01 +00:00
Calendar.pm Bug 14954: Remove unused C4::Calendar::addDate subroutine 2015-11-17 23:44:57 -03:00
Category.pm
Charset.pm Bug 14078: (followup) converting from ISO5426 is not complete 2015-11-16 12:48:44 -03:00
Circulation.pm Bug 14694 - Make decreaseloanHighHolds more flexible 2016-03-07 17:48:51 +00:00
ClassSortRoutine.pm
ClassSource.pm
Context.pm Bug 15809: Redefine multi_param is CGI < 4.08 is used 2016-03-22 23:23:39 +00:00
Contract.pm
CourseReserves.pm Bug 15530 - Editing a course item via a disabled course disables it even if it is on other enabled courses 2016-01-27 00:58:14 +00:00
Creators.pm
Csv.pm
Debug.pm Bug 14870: (followup) Remove mention of C4::Dates from C4/Debug.pm 2015-11-19 13:05:06 -03:00
Heading.pm
HoldsQueue.pm Bug 12803 [QA Followup] - Allow holiday caching to be disabled for testing purposes 2016-03-03 20:19:00 +00:00
HTML5Media.pm Bug 14168: (followup) require WWW::YouTube::Download only when syspref enabled 2016-03-03 18:47:03 +00:00
Images.pm
ImportBatch.pm
ImportExportFramework.pm
InstallAuth.pm
Installer.pm Bug 11431: (QA followup) Make audio alerts sql top level 2015-11-04 12:33:53 -03:00
ItemCirculationAlertPreference.pm Bug 14828: Use Koha::ItemType[s] everywhere C4::ItemType was used 2016-01-27 20:46:58 +00:00
Items.pm Bug 5404: Move the test to a new IsMarcStructureInternal sub 2016-03-07 17:30:09 +00:00
Koha.pm Bug 5404: C4::Koha - remove subfield_is_koha_internal_p 2016-03-07 17:30:09 +00:00
Labels.pm
Languages.pm Bug 15719: Silence warning in C4/Language.pm during web install 2016-02-24 01:55:27 +00:00
Letters.pm Bug 12426: [QA Follow-up] Clear to_address to force update 2016-03-03 20:16:07 +00:00
Linker.pm
Log.pm Bug 15632 [QA Followup] - Get rid of use of uninitialized value errors for unit tests 2016-03-03 21:22:15 +00:00
MarcModificationTemplates.pm Bug 15669: Alphabetize marc modification templates 2016-03-03 22:11:44 +00:00
Matcher.pm
Members.pm Bug 15656: Move guarantor/guarantees code - GetMemberRelatives 2016-03-12 23:40:10 +00:00
Message.pm
NewsChannels.pm Bug 14248: Optionally display authorship for news 2015-10-27 16:26:22 -03:00
Output.pm Bug 15111: Change X-Frame-Options with SAMEORIGIN 2016-03-14 16:30:08 +00:00
Overdues.pm Bug 15084: Replace C4::Budgets::GetCurrencies with Koha::Acquisition::Currencies->search 2016-03-03 20:39:01 +00:00
Patroncards.pm
Print.pm
Ratings.pm
Record.pm Bug 13642 - Adding new features for Dublin Core metadata 2016-01-27 06:23:07 +00:00
Reports.pm
Reserves.pm Bug 15629: Koha::Libraries - Remove GetBranchDetail 2016-02-24 03:55:06 +00:00
Review.pm
Ris.pm Bug 14971: fix RIS export 2015-12-11 16:28:27 +00:00
RotatingCollections.pm Bug 15066: Make transfer rotating collection works under Plack 2015-11-05 09:50:09 -03:00
Scheduler.pm
Scrubber.pm
Search.pm Bug 15694: Add aliases for date/time last modified 2016-03-11 21:56:50 +00:00
Serials.pm Bug 12375 [7] - Update to use Koha::Object classes 2015-12-31 12:29:05 +00:00
Service.pm Bug 11559: Supporting changes for Rancor 2015-10-27 12:16:05 -03:00
ShelfBrowser.pm
SMS.pm
SocialData.pm
Stats.pm
Suggestions.pm Bug 15090: Fix date filter for Suggestions management 2015-11-02 11:35:02 -03:00
Tags.pm
Templates.pm Bug 15968: Unnecessary loop in C4::Templates 2016-03-07 17:20:00 +00:00
TmplToken.pm Bug 6679: (follow-up) fix 9 perlcritic violations in C4/TmplTokenType.pm 2016-01-27 05:06:23 +00:00
TmplTokenType.pm Bug 6679: (follow-up) fix 9 perlcritic violations in C4/TmplTokenType.pm 2016-01-27 05:06:23 +00:00
TTParser.pm
UsageStats.pm Bug 4941: Remove the singleBranchMode system preference 2016-02-26 12:13:09 +00:00
XISBN.pm
XSLT.pm Bug 4941 [QA Followup] - Retain singleBranchMode in list of sysprefs passed to XSLT 2016-02-26 12:24:04 +00:00