[Tools 1/2] testbot: Add Page::GetParamNames() to retrieve a page's parameter names.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Tools 1/2] testbot: Add Page::GetParamNames() to retrieve a page's parameter names.

Francois Gouget
Signed-off-by: Francois Gouget <[hidden email]>
---
 testbot/lib/ObjectModel/CGI/FormPage.pm |  2 +-
 testbot/lib/ObjectModel/CGI/Page.pm     | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/testbot/lib/ObjectModel/CGI/FormPage.pm b/testbot/lib/ObjectModel/CGI/FormPage.pm
index bc7eb0b0..fb743a00 100644
--- a/testbot/lib/ObjectModel/CGI/FormPage.pm
+++ b/testbot/lib/ObjectModel/CGI/FormPage.pm
@@ -362,7 +362,7 @@ sub Save($)
 {
   my ($self) = @_;
 
-  my @ParamNames = $self->GetParam();
+  my @ParamNames = $self->GetParamNames();
   foreach my $ParameterName (@ParamNames)
   {
     my $PropertyDescriptor = $self->GetPropertyDescriptorByName($ParameterName);
diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 046fd123..1fb2ca32 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -58,6 +58,23 @@ sub _initialize($$$)
 =pod
 =over 12
 
+=head1 C<GetParamNames()>
+
+Returns the list of parameter names.
+
+=back
+=cut
+
+sub GetParamNames($)
+{
+  my $self = shift;
+
+  return $self->{CGIObj}->param();
+}
+
+=pod
+=over 12
+
 =head1 C<GetParam()>
 
 This thunks to CGI::param() and thus takes the same arguments list.
--
2.11.0



Reply | Threaded
Open this post in threaded view
|

[Tools 2/2] testbot: Force CGI::param() to scalar context for security.

Francois Gouget
Otherwise a call like foo($Page->GetParam("Name")) can end up passing
extra arguments to foo() if the URL contains multiple instances of
'Name'. The situation is even worse if one uses named parameters.
No code depended on being able to get multiple values and the only
place that used CGI:param() to get the list of parameter names is
already using Page::GetParameterNames().

Signed-off-by: Francois Gouget <[hidden email]>
---

This fixes warnings in the Apache log.

See also:
https://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/


 testbot/lib/ObjectModel/CGI/Page.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 1fb2ca32..50598bfa 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -77,7 +77,9 @@ sub GetParamNames($)
 
 =head1 C<GetParam()>
 
-This thunks to CGI::param() and thus takes the same arguments list.
+This thunks to CGI::param() and thus takes the same arguments list but forces
+the result to scalar context to avoid security issues.
+To get the list of parameter names use GetParamNames().
 
 =back
 =cut
@@ -86,7 +88,7 @@ sub GetParam($@)
 {
   my $self = shift;
 
-  return $self->{CGIObj}->param(@_);
+  return scalar($self->{CGIObj}->param(@_));
 }
 
 sub CGI($)
--
2.11.0