From: Francois Gouget <fgouget@codeweavers.com>
Subject: [Tools 2/2] testbot: Force CGI::param() to scalar context for security.
Message-Id: <a2c554a96ef090298a3132f2a5f4a71b9e2955c0.1497786491.git.fgouget@codeweavers.com>
Date: Mon, 19 Jun 2017 09:06:49 +0200 (CEST)
In-Reply-To: <b679ac968f85913fcb39355ee5f9bbd1dd395433.1497786491.git.fgouget@codeweavers.com>
References: <b679ac968f85913fcb39355ee5f9bbd1dd395433.1497786491.git.fgouget@codeweavers.com>

Otherwise a call like foo($Page->GetParam("Name")) can end up passing
extra arguments to foo() if the URL contains multiple instances of
'Name'. The situation is even worse if one uses named parameters.
No code depended on being able to get multiple values and the only
place that used CGI:param() to get the list of parameter names is
already using Page::GetParameterNames().

Signed-off-by: Francois Gouget <fgouget@codeweavers.com>
---

This fixes warnings in the Apache log.

See also:
https://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/


 testbot/lib/ObjectModel/CGI/Page.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 1fb2ca32..50598bfa 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -77,7 +77,9 @@ sub GetParamNames($)
 
 =head1 C<GetParam()>
 
-This thunks to CGI::param() and thus takes the same arguments list.
+This thunks to CGI::param() and thus takes the same arguments list but forces
+the result to scalar context to avoid security issues.
+To get the list of parameter names use GetParamNames().
 
 =back
 =cut
@@ -86,7 +88,7 @@ sub GetParam($@)
 {
   my $self = shift;
 
-  return $self->{CGIObj}->param(@_);
+  return scalar($self->{CGIObj}->param(@_));
 }
 
 sub CGI($)

-- 
2.11.0