From f4ec7b06d97c8406c5f5be7332ead2f28c271371 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sat, 11 Oct 2014 09:28:22 +0100 Subject: Make sure we do not pass multiple CGI parameters in function calls When CGI->param is called in list context, such as in function parameters, it expands to all the potentially multiple values of the parameter: for instance, if we parse query string a=b&a=c&d=e and call func($cgi->param('a')), that's equivalent to func('b', 'c'). Most of the functions we're calling do not expect that. I do not believe this is an exploitable security vulnerability in ikiwiki, but it was exploitable in Bugzilla. --- IkiWiki/Plugin/inline.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'IkiWiki/Plugin/inline.pm') diff --git a/IkiWiki/Plugin/inline.pm b/IkiWiki/Plugin/inline.pm index f578526cc..300941943 100644 --- a/IkiWiki/Plugin/inline.pm +++ b/IkiWiki/Plugin/inline.pm @@ -119,7 +119,7 @@ sub sessioncgi ($$) { my $session=shift; if ($q->param('do') eq 'blog') { - my $page=titlepage(decode_utf8($q->param('title'))); + my $page=titlepage(decode_utf8(scalar $q->param('title'))); $page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs # if the page already exists, munge it to be unique my $from=$q->param('from'); -- cgit v1.2.3