From e5603d06918ea7eae0d87ebc8da731b228812fd7 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Mon, 1 May 2017 14:15:58 +0200 Subject: [PATCH] Bug 7550: [QA Follow-up] Resolve param warning from sco-patron-image Resolve this warning: CGI::param called in list context from package C4::Service line 212, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436. It comes from the require_params call in sco-patron-image.pl. Git grepping on require_params tells me this: members/default_messageprefs.pl:my ($categorycode) = C4::Service->require_params('categorycode'); opac/sco/sco-patron-image.pl:my ($borrowernumber) = C4::Service->require_params('borrowernumber'); opac/sco/sco-patron-image.pl:my ($csrf_token) = C4::Service->require_params('csrf_token'); svc/cataloguing/metasearch:my ( $query_string, $servers ) = C4::Service->require_params( 'q', 'servers' ); The only candidate for multi_param seems to be 'servers', but as we can see this variable is a scalar. Additional servers returned by require_params are lost. This should be solved on its own report. So, we can safely add scalar to the params call, resolve the warning and keep the same behavior. Signed-off-by: Marcel de Rooy --- C4/Service.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/C4/Service.pm b/C4/Service.pm index da1d1ee91e..fa95a61cdb 100644 --- a/C4/Service.pm +++ b/C4/Service.pm @@ -209,7 +209,7 @@ sub require_params { for my $param ( @params ) { $class->return_error( 'params', "Missing '$param'" ) if ( !defined( $query->param( $param ) ) ); - push @values, $query->param( $param ); + push @values, scalar $query->param( $param ); # will we ever need multi_param here? } return @values; -- 2.39.5