diff options
author | Simon McVittie <smcv@debian.org> | 2014-10-11 09:28:22 +0100 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2014-10-16 22:24:47 +0100 |
commit | f4ec7b06d97c8406c5f5be7332ead2f28c271371 (patch) | |
tree | e4c49055cbf2268321cbd79f13c8eb9762336096 /IkiWiki/CGI.pm | |
parent | d8943d8668d2489b78d9c7c2abdad9f71d193724 (diff) | |
download | ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar.gz |
Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
Diffstat (limited to 'IkiWiki/CGI.pm')
0 files changed, 0 insertions, 0 deletions