1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From 310aea92aaa91fbcba353591bfd68b13b8b183a4 Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Sat, 4 Jul 2015 23:29:40 +0300
Subject: [PATCH] Disable warning about CGI::param called in list context
The code explicitly handles param() returning multiple values,
disarming the parameter injection vulnerability.
Bug-Debian: https://bugs.debian.org/791439
---
Expand.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Expand.pm b/Expand.pm
index eb85850..e6be854 100644
--- a/Expand.pm
+++ b/Expand.pm
@@ -62,6 +62,8 @@ sub expand_cgi {
# permit multiple values CGI style
for ($cgi->param) {
+ # multiple values are explicitly handled
+ local $CGI::LIST_CONTEXT_WARN = 0;
next if (/\.[xy]$/); # img_submit=val & img_submit.x=20 -> clash
my @vals = $cgi->param($_);
$args{$_} = @vals > 1 ? \@vals : $vals[0];
--
2.5.1
|
