[cgiapp] Re: New Plugin: RunmodeDeclare
Michael Peters
mpeters at plusthree.com
Mon Sep 29 09:23:47 EDT 2008
Rhesa Rozendaal wrote:
> As for the order in which arguments are fetched, I don't mind swapping
> $self->param and $q->param in the fallback order. I don't have a
> practical use case either way. I only use $self->param in this context
> when CA::Dispatch puts url components there. I thought you might
> sometimes want to override a url component with a form field, but I
> haven't seen that happen yet.
This is actually a security problem with fetching in the order it does now. It's similar to the PHP
bug where some config setting was turned on by default such that any query params automatically
became real variables in your program. This was fine unless you used one of those variables for
something else. This meant that anyone could craft a URL which would override a variable in your
program. Nasty things can happen.
--
Michael Peters
Plus Three, LP
More information about the cgiapp
mailing list