Change the param() interfac?

Damien damien.nozay at gmail.com
Tue Oct 7 17:08:29 UTC 2014


Hi folks,
isn't there some kind of perl lint tool to tell you these kinds of
constructs are bogus & dangerous?

On Tue, Oct 7, 2014 at 1:06 AM, Gervase Markham <gerv at mozilla.org> wrote:

> Hi everyone,
>
> As you know, we have just done a security release. The bug is written up
> here:
>
> http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
>
> I have been pointed at this article from 5 years ago:
>
>
> http://bulknews.typepad.com/blog/2009/12/perl-why-parameters-sucks-and-what-we-can-do.html
>
> which agrees that the param() interface is not awesome, although it
> doesn't cover the security concerns we now know it raises. It seems that
> many frameworks don't like this way of doing things, and have come up
> with alternatives which are less of a footgun. The article documents
> several alternatives, of which I think the leading two are:
>
> 1)
>
> $cgi->param('foo') always returns scalar
> $cgi->arrayparam('foo') always returns a list
>
> 2)
>
> $cgi->scalarparam('foo') always returns scalar
> $cgi->arrayparam('foo) always returns array
> $cgi->param('foo') throws an error to stop you using it and make you
>                    make a specific decision
>
> (Let's not bikeshed on the function names before we've chosen an approach.)
>
> I strongly think the best way to avoid future security holes is to make
> the pattern which leads to them impossible. I know we now have a test to
> detect the particular pattern which caused these bugs, but I'm not
> willing to bet any money that there aren't other places or ways or
> contexts this could happen. So I think we should switch the Bugzilla
> codebase over to one of these two patterns, using the fact that we
> control the CGI object (Bugzilla/CGI.pm) to alter the behaviour of the
> functions.
>
> I know LpSolit has expressed reservations, and that dveditz (Mozilla
> security guy) is in favour. Comments?
>
> Gerv
>
> _______________________________________________
> dev-apps-bugzilla mailing list
> dev-apps-bugzilla at lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-bugzilla
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=damien.nozay@gmail.com>
>
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla



More information about the developers mailing list