diff options
author | Simon McVittie <smcv@debian.org> | 2014-10-11 09:28:22 +0100 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2014-10-16 22:24:47 +0100 |
commit | f4ec7b06d97c8406c5f5be7332ead2f28c271371 (patch) | |
tree | e4c49055cbf2268321cbd79f13c8eb9762336096 /IkiWiki/Plugin/inline.pm | |
parent | d8943d8668d2489b78d9c7c2abdad9f71d193724 (diff) | |
download | ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar.gz |
Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
Diffstat (limited to 'IkiWiki/Plugin/inline.pm')
-rw-r--r-- | IkiWiki/Plugin/inline.pm | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/IkiWiki/Plugin/inline.pm b/IkiWiki/Plugin/inline.pm index f578526cc..300941943 100644 --- a/IkiWiki/Plugin/inline.pm +++ b/IkiWiki/Plugin/inline.pm @@ -119,7 +119,7 @@ sub sessioncgi ($$) { my $session=shift; if ($q->param('do') eq 'blog') { - my $page=titlepage(decode_utf8($q->param('title'))); + my $page=titlepage(decode_utf8(scalar $q->param('title'))); $page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs # if the page already exists, munge it to be unique my $from=$q->param('from'); |