[cgiapp] $CGI::LIST_CONTEXT_WARN in CGI::App
Martin McGrath
mcgrath.martin at gmail.com
Fri Mar 6 06:40:09 EST 2015
On 5 March 2015 at 18:54, Justin J <justin at dadamailproject.com> wrote:
> Hello everyone,
>
> I've been working on closing the bug/vulnerability/annoyance described here:
>
> http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
>
> in my CGI::App. For the most part, it's relatively straightforward. I'm having trouble with one module: HTML::FillInForm::Lite, that seems to cause the following warning to be printed in my error log:
>
> [Thu Mar 5 11:46:12 2015] app.cgi: CGI::param called in list context from package HTML::FillInForm::Lite line 373, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at [yadda yadda]
>
> There doesn't seemed to be a patched version of this module. Is there a way to set the $CGI::LIST_CONTEXT_WARN from within CGI::App? This does assume that CGI.pm is the query object used. Would this generally be a Good Idea?:
>
> $app->query()->LIST_CONTEXT_WARN = 0;
> # Do my HTML::FillinForm::Lite Work...
> $app->query()->LIST_CONTEXT_WARN = 1;
>
Hi Justin,
I found this warning a day ago after updating CGI.pm while preparing
the next release of CGI:App, the test suite starting throwing these
warnings. If you want to hide such messages use:
$CGI::Application::LIST_CONTEXT_WARN = 0;
My next task regarding CGI::App is to ensure the application code and
test suite aren't actually causing such problems.
Thanks
Martin
More information about the cgiapp
mailing list