From 94dde6b48d6e20a5260ea49f9b98ec884c2c25b5 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 12 Feb 2016 11:32:02 +0000 Subject: [PATCH] Bug 15809: Redefine multi_param is CGI < 4.08 is used On debian Jessie, the CGI version is >= 4.08 Since this version, the param method raise a warning "CGI::param called in list context". Indeed, it can cause vulnerability if called in list context https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/ There is a long journey to get rid of these warnings. First I suggest to redefine the multi_param method when the CGI version installed is < 4.08, it will allow us to move the wrong ->param calls to ->multi_param without waiting for everybody to upgrade. The different ways to call these 2 methods are: my $foo = $cgi->param('foo'); # OK my @foo = $cgi->param('foo'); # NOK, will raise the warning my @foo = $cgi->multi_param('foo'); #OK $template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning # and vulnerable $template->param( foo => scalar $cgi->param('foo') ); # OK Signed-off-by: Mark Tompsett Signed-off-by: Marcel de Rooy Tested a call to multi_param with CGI < 4.08. With reference to the comments on Bugzilla, this workaround is arguable, but provides a base to move to multi_param. If we come up with a better solution, it should be easy to adjust. Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com --- C4/Context.pm | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/C4/Context.pm b/C4/Context.pm index bae5f12b6f..405fbf8316 100644 --- a/C4/Context.pm +++ b/C4/Context.pm @@ -76,6 +76,15 @@ BEGIN { if ($ENV{KOHA_BACKTRACES}) { $main::SIG{__DIE__} = \&CGI::Carp::confess; } + + # Redefine multi_param if cgi version is < 4.08 + # Remove the "CGI::param called in list context" warning in this case + if (!defined($CGI::VERSION) || $CGI::VERSION < 4.08) { + no warnings 'redefine'; + *CGI::multi_param = \&CGI::param; + use warnings 'redefine'; + $CGI::LIST_CONTEXT_WARN = 0; + } } # else there is no browser to send fatals to! # Check if there are memcached servers set -- 2.39.5