diff options
author | Simon McVittie <smcv@debian.org> | 2014-10-11 09:28:22 +0100 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2014-10-16 22:24:47 +0100 |
commit | f4ec7b06d97c8406c5f5be7332ead2f28c271371 (patch) | |
tree | e4c49055cbf2268321cbd79f13c8eb9762336096 /IkiWiki/Plugin/attachment.pm | |
parent | d8943d8668d2489b78d9c7c2abdad9f71d193724 (diff) | |
download | ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar.gz |
Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
Diffstat (limited to 'IkiWiki/Plugin/attachment.pm')
-rw-r--r-- | IkiWiki/Plugin/attachment.pm | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index d56dd18ad..fb8a6539e 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -132,7 +132,7 @@ sub formbuilder (@) { return if ! defined $form->field("do") || ($form->field("do") ne "edit" && $form->field("do") ne "create") ; - my $filename=Encode::decode_utf8($q->param('attachment')); + my $filename=Encode::decode_utf8(scalar $q->param('attachment')); if (defined $filename && length $filename) { attachment_store($filename, $form, $q, $params{session}); } @@ -142,7 +142,7 @@ sub formbuilder (@) { } if ($form->submitted eq "Insert Links") { - my $page=quotemeta(Encode::decode_utf8($q->param("page"))); + my $page=quotemeta(Encode::decode_utf8(scalar $q->param("page"))); my $add=""; foreach my $f ($q->param("attachment_select")) { $f=Encode::decode_utf8($f); |