diff options
author | Simon McVittie <smcv@debian.org> | 2014-10-11 09:28:22 +0100 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2014-10-16 22:24:47 +0100 |
commit | f4ec7b06d97c8406c5f5be7332ead2f28c271371 (patch) | |
tree | e4c49055cbf2268321cbd79f13c8eb9762336096 /IkiWiki/Plugin/rename.pm | |
parent | d8943d8668d2489b78d9c7c2abdad9f71d193724 (diff) | |
download | ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar ikiwiki-f4ec7b06d97c8406c5f5be7332ead2f28c271371.tar.gz |
Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.
I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
Diffstat (limited to 'IkiWiki/Plugin/rename.pm')
-rw-r--r-- | IkiWiki/Plugin/rename.pm | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm index f7ea21b53..6d56340b8 100644 --- a/IkiWiki/Plugin/rename.pm +++ b/IkiWiki/Plugin/rename.pm @@ -237,7 +237,7 @@ sub postrename ($$$;$$) { # on it. $oldcgi->param("editcontent", renamepage_hook($dest, $src, $dest, - $oldcgi->param("editcontent"))); + scalar $oldcgi->param("editcontent"))); # Get a new edit token; old was likely invalidated. $oldcgi->param("rcsinfo", @@ -297,7 +297,7 @@ sub sessioncgi ($$) { if ($q->param("do") eq 'rename') { my $session=shift; - my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8($q->param("page"))); + my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8(scalar $q->param("page"))); IkiWiki::decode_form_utf8($form); my $src=$form->field("page"); @@ -332,7 +332,7 @@ sub sessioncgi ($$) { IkiWiki::Plugin::attachment::is_held_attachment($src); if ($held) { rename($held, IkiWiki::Plugin::attachment::attachment_holding_location($dest)); - postrename($q, $session, $src, $dest, $q->param("attachment")) + postrename($q, $session, $src, $dest, scalar $q->param("attachment")) unless defined $srcfile; } @@ -438,7 +438,7 @@ sub sessioncgi ($$) { $renamesummary.=$template->output; } - postrename($q, $session, $src, $dest, $q->param("attachment")); + postrename($q, $session, $src, $dest, scalar $q->param("attachment")); } else { IkiWiki::showform($form, $buttons, $session, $q); |