Change the param() interfac?
Gervase Markham
gerv at mozilla.org
Tue Oct 7 08:06:30 UTC 2014
Hi everyone,
As you know, we have just done a security release. The bug is written up
here:
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
I have been pointed at this article from 5 years ago:
http://bulknews.typepad.com/blog/2009/12/perl-why-parameters-sucks-and-what-we-can-do.html
which agrees that the param() interface is not awesome, although it
doesn't cover the security concerns we now know it raises. It seems that
many frameworks don't like this way of doing things, and have come up
with alternatives which are less of a footgun. The article documents
several alternatives, of which I think the leading two are:
1)
$cgi->param('foo') always returns scalar
$cgi->arrayparam('foo') always returns a list
2)
$cgi->scalarparam('foo') always returns scalar
$cgi->arrayparam('foo) always returns array
$cgi->param('foo') throws an error to stop you using it and make you
make a specific decision
(Let's not bikeshed on the function names before we've chosen an approach.)
I strongly think the best way to avoid future security holes is to make
the pattern which leads to them impossible. I know we now have a test to
detect the particular pattern which caused these bugs, but I'm not
willing to bet any money that there aren't other places or ways or
contexts this could happen. So I think we should switch the Bugzilla
codebase over to one of these two patterns, using the fact that we
control the CGI object (Bugzilla/CGI.pm) to alter the behaviour of the
functions.
I know LpSolit has expressed reservations, and that dveditz (Mozilla
security guy) is in favour. Comments?
Gerv
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla
More information about the developers
mailing list