Change the param() interfac?

Gervase Markham gerv at
Tue Oct 7 08:06:30 UTC 2014

Hi everyone,

As you know, we have just done a security release. The bug is written up

I have been pointed at this article from 5 years ago:

which agrees that the param() interface is not awesome, although it
doesn't cover the security concerns we now know it raises. It seems that
many frameworks don't like this way of doing things, and have come up
with alternatives which are less of a footgun. The article documents
several alternatives, of which I think the leading two are:


$cgi->param('foo') always returns scalar
$cgi->arrayparam('foo') always returns a list


$cgi->scalarparam('foo') always returns scalar
$cgi->arrayparam('foo) always returns array
$cgi->param('foo') throws an error to stop you using it and make you
                   make a specific decision

(Let's not bikeshed on the function names before we've chosen an approach.)

I strongly think the best way to avoid future security holes is to make
the pattern which leads to them impossible. I know we now have a test to
detect the particular pattern which caused these bugs, but I'm not
willing to bet any money that there aren't other places or ways or
contexts this could happen. So I think we should switch the Bugzilla
codebase over to one of these two patterns, using the fact that we
control the CGI object (Bugzilla/ to alter the behaviour of the

I know LpSolit has expressed reservations, and that dveditz (Mozilla
security guy) is in favour. Comments?


dev-apps-bugzilla mailing list
dev-apps-bugzilla at

More information about the developers mailing list