in reply to Re: "CGI::param called in list context" confusion
in thread "CGI::param called in list context" confusion

Thanks! Can you explain how this could be exploited, is there a quick way to test? I would better understand how this could be exploited so we can change the code. Thanks
  • Comment on Re^2: "CGI::param called in list context" confusion

Replies are listed 'Best First'.
Re^3: "CGI::param called in list context" confusion
by Corion (Patriarch) on Mar 19, 2015 at 09:54 UTC

    Look again at the example I gave in my above code. Submitting more than one value for foo allows you to swap keys and values in the call to the function or to insert additional keys into the call.

    For example if your code is

    #!perl -w
use strict;
use CGI;
use Data::Dumper;

sub do_foo {
    my( %params )= @_;
    print Dumper \%params;
    if( $params{ is_admin }) {
        print "Is admin\n";
    } else {
        print "No admin\n";
    };
};

my $q= CGI->new();
do_foo( is_admin => 0, foo => $q->param('foo') );

    [download]

    ... then you can test various incantations from the command line:

    perl -w test.pl foo=1
perl -w test.pl foo=bar
perl -w test.pl foo=0&foo=is_admin&foo=yeah&foo=another_parameter&foo=
+yippieh

    [download]
[reply]
[d/l]
[select]
Re^3: "CGI::param called in list context" confusion
by LanX (Saint) on Mar 19, 2015 at 09:58 UTC
[reply]

In Section Seekers of Perl Wisdom