perlron has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks, I noticed an error in the logs while testing my CGI::Application. 
GI::param called in list context from package CGI::Session line 364, t
+his can lead to vulnerabilities. See the warning in "Fetching the val
+ue or values of a single named parameter" at /Users/XXXXXX/perl5/perl
+brew/perls/perl-5.10.1/lib/5.10.1/CGI.pm line 425., referer: http://c
+ismun.local/cgi-bin/register.cgi

[download]
- update is that i have seen that setting the variable $CGI::Application::LIST_CONTEXT_WARN to 0 provides a way to prevent this noise in the server logs.

While the query parameters are getting saved successfully and the functonality seems to work fine, i need a tip on how to resolve this error/warning. Even if u can tell me what is the vulnerability of this statement would be good enough for now..even though I read the CGI docs . Is this suggesting a posisble data inconsistency ??! The line code in question that i see is causing this issue is commented below. 
sub register_delegate{

  my $self = shift;
  my $session = $self->session();
  my $query = $self->query();
  my $countries = createHTMLDropDown("../files/country_listv2.txt");
 
  #clearing the session before writing new values.
  $session->clear();
#this line of code causes the error.
#  $session->save_param();
# 
$self->log->debug("after calling save param");
  my %ret_params = (
                'session_id' => $session->id(),
                'country_list_dd' => $countries,
                );

  return $self->tt_process('dlg_register.tt',\%ret_params);
}

[download]
I tried testing replacing it with the statement with the two options below, but the script dies without any output to the browser (blank page)and surprisingly even the debug statement is not appearing in the log file.
$session->save_param($query->param('s_addr')) or die $!;; and even 
$session->save_param(scalar $query->param('s_addr')) or die $!;

[download]
but it still dies without an error message. Thanks in advance for any tips.
Do not wait to strike when the iron is hot! Make it hot by striking - WB Yeats

Replies are listed 'Best First'.
Re: CGI::param called in list context from package
by Loops (Curate) on Oct 26, 2014 at 20:01 UTC

    You may want to look at this Blog post from earlier this month. They suggest preceding the statement with "scalar". And here is the CGI documentation on the matter.

    As for the save_param command, the documentation shows that the first parameter must be the $cgi object, followed by a list of the parameters you want to save.

    Update: So it turns out that I reference the v3.95 documentation above, here is v4.48 which suggests that the API for save_param has changed. Is it possible you are indeed running with an older version?

[reply]
      update ill have to double check the documentation u suggested as they are passing two arguments to param..
      yes i am testing this on perl 5.10.1 because that is the 'production' version so to speak.
      The odd thing is that when i use the scalar reference my code is breaking output and i see nothing in the logs.
      .just fyi..ill keep the security aspect in mind while designing the terms and conditions of website usage:D, as the application is not dealing with majorly sensitive data( maybe phone numbers/emails/names) and definitely no passwords!
      i will test this shortly on perl 5.20 and let u know if the warning / error surfaces.
      thank you for the quick help. i really value it.
      Do not wait to strike when the iron is hot! Make it hot by striking - WB Yeats
[reply]
Re: CGI::param called in list context from package
by leej (Monk) on Oct 27, 2014 at 14:25 UTC
    Update CGI.pm to the latest version. CGI::Session calls CGI::param in list context with no arguments, and i made the warning a little more noisy than i should have in v4.05. This was changed to be a bit more lenient in CGI.pm v4.06.
[reply]
      thank you for taking the trouble to make me know this. im relieved im not in no mans land then! folks like you make perl understandable for beginners.
      However based on a quick test of the application after a cpanm update to CGI v4.09 i still see the error/warning in my apache logs.
       CGI::param called in list context from package CGI::Session line 364, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter"
      Do let me know if there is any way i can check if the issue is on my side. My detailed code is put up above.
      the pertinent call is 
         my $session = $self->session();
   my $query = $self->query();
    

#clearing the session before writing new values.
 
   $session->clear();
   $session->save_param();

      [download]
      Do not wait to strike when the iron is hot! Make it hot by striking - WB Yeats
[reply]
[d/l]
[select]
        A ha! It looks like CGI::Session is calling ->param in list context with arguments: https://metacpan.org/source/MARKSTOS/CGI-Session-4.48/lib/CGI/Session.pm#L364 The temp solution to this is to set the following in your code: $CGI::LIST_CONTEXT_WARN = 0 An issue needs to be raised against CGI::Session to change it to use multi_param or switch off the warning. The slight irony is that i took over maintenance of CGI from Mark, the current author of CGI::Session...
[reply]
[d/l]

Back to Seekers of Perl Wisdom