Make sure we do not pass multiple CGI parameters in function calls

When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.

6 files changed, 10 insertions, 10 deletions

diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm
index d56dd18ad..fb8a6539e 100644
--- a/IkiWiki/Plugin/attachment.pm
+++ b/IkiWiki/Plugin/attachment.pm
@@ -132,7 +132,7 @@ sub formbuilder (@) {
 
 	return if ! defined $form->field("do") || ($form->field("do") ne "edit" && $form->field("do") ne "create") ;
 
-	my $filename=Encode::decode_utf8($q->param('attachment'));
+	my $filename=Encode::decode_utf8(scalar $q->param('attachment'));
 	if (defined $filename && length $filename) {
 		attachment_store($filename, $form, $q, $params{session});
 	}
@@ -142,7 +142,7 @@ sub formbuilder (@) {
 	}
 
 	if ($form->submitted eq "Insert Links") {
-		my $page=quotemeta(Encode::decode_utf8($q->param("page")));
+		my $page=quotemeta(Encode::decode_utf8(scalar $q->param("page")));
 		my $add="";
 		foreach my $f ($q->param("attachment_select")) {
 			$f=Encode::decode_utf8($f);
diff --git a/IkiWiki/Plugin/goto.pm b/IkiWiki/Plugin/goto.pm
index 6b596ac8b..3a946b19d 100644
--- a/IkiWiki/Plugin/goto.pm
+++ b/IkiWiki/Plugin/goto.pm
@@ -27,7 +27,7 @@ sub cgi_goto ($;$) {
 	my $page = shift;
 
 	if (!defined $page) {
-		$page = IkiWiki::decode_utf8($q->param("page"));
+		$page = IkiWiki::decode_utf8(scalar $q->param("page"));
 
 		if (!defined $page) {
 			error("missing page parameter");
diff --git a/IkiWiki/Plugin/inline.pm b/IkiWiki/Plugin/inline.pm
index f578526cc..300941943 100644
--- a/IkiWiki/Plugin/inline.pm
+++ b/IkiWiki/Plugin/inline.pm
@@ -119,7 +119,7 @@ sub sessioncgi ($$) {
 	my $session=shift;
 
 	if ($q->param('do') eq 'blog') {
-		my $page=titlepage(decode_utf8($q->param('title')));
+		my $page=titlepage(decode_utf8(scalar $q->param('title')));
 		$page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs
 		# if the page already exists, munge it to be unique
 		my $from=$q->param('from');
diff --git a/IkiWiki/Plugin/openid.pm b/IkiWiki/Plugin/openid.pm
index 3b96e4b8e..63112d983 100644
--- a/IkiWiki/Plugin/openid.pm
+++ b/IkiWiki/Plugin/openid.pm
@@ -223,7 +223,7 @@ sub auth ($$) {
 	}
 	elsif (defined $q->param('openid_identifier')) {
 		# myopenid.com affiliate support
-		validate($q, $session, $q->param('openid_identifier'));
+		validate($q, $session, scalar $q->param('openid_identifier'));
 	}
 }
 
diff --git a/IkiWiki/Plugin/poll.pm b/IkiWiki/Plugin/poll.pm
index 3bd4af206..eb0e6ef04 100644
--- a/IkiWiki/Plugin/poll.pm
+++ b/IkiWiki/Plugin/poll.pm
@@ -99,7 +99,7 @@ sub sessioncgi ($$) {
 	my $cgi=shift;
 	my $session=shift;
 	if (defined $cgi->param('do') && $cgi->param('do') eq "poll") {
-		my $choice=decode_utf8($cgi->param('choice'));
+		my $choice=decode_utf8(scalar $cgi->param('choice'));
 		if (! defined $choice || not length $choice) {
 			error("no choice specified");
 		}
diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm
index f7ea21b53..6d56340b8 100644
--- a/IkiWiki/Plugin/rename.pm
+++ b/IkiWiki/Plugin/rename.pm
@@ -237,7 +237,7 @@ sub postrename ($$$;$$) {
 		# on it.
 		$oldcgi->param("editcontent",
 			renamepage_hook($dest, $src, $dest,
-				 $oldcgi->param("editcontent")));
+				scalar $oldcgi->param("editcontent")));
 
 		# Get a new edit token; old was likely invalidated.
 		$oldcgi->param("rcsinfo",
@@ -297,7 +297,7 @@ sub sessioncgi ($$) {
 
 	if ($q->param("do") eq 'rename') {
         	my $session=shift;
-		my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8($q->param("page")));
+		my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8(scalar $q->param("page")));
 		IkiWiki::decode_form_utf8($form);
 		my $src=$form->field("page");
 
@@ -332,7 +332,7 @@ sub sessioncgi ($$) {
 				IkiWiki::Plugin::attachment::is_held_attachment($src);
 			if ($held) {
 				rename($held, IkiWiki::Plugin::attachment::attachment_holding_location($dest));
-				postrename($q, $session, $src, $dest, $q->param("attachment"))
+				postrename($q, $session, $src, $dest, scalar $q->param("attachment"))
 					unless defined $srcfile;
 			}
 			
@@ -438,7 +438,7 @@ sub sessioncgi ($$) {
 				$renamesummary.=$template->output;
 			}
 
-			postrename($q, $session, $src, $dest, $q->param("attachment"));
+			postrename($q, $session, $src, $dest, scalar $q->param("attachment"));
 		}
 		else {
 			IkiWiki::showform($form, $buttons, $session, $q);