Francois Gouget : testbot: Force CGI::param() to scalar context for security.

[Alexandre Julliard]

Module: tools
Branch: master
Commit: e0e43d8cac1e3d64d1c104bc0b49f930b44df305
URL:    http://source.winehq.org/git/tools.git/?a=commit;h=e0e43d8cac1e3d64d1c104bc0b49f930b44df305

Author: Francois Gouget <fgouget at codeweavers.com>
Date:   Mon Jun 19 09:06:49 2017 +0200

testbot: Force CGI::param() to scalar context for security.

Otherwise a call like foo($Page->GetParam("Name")) can end up passing
extra arguments to foo() if the URL contains multiple instances of
'Name'. The situation is even worse if one uses named parameters.
No code depended on being able to get multiple values and the only
place that used CGI:param() to get the list of parameter names is
already using Page::GetParameterNames().

Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 testbot/lib/ObjectModel/CGI/Page.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 1fb2ca3..50598bf 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -77,7 +77,9 @@ sub GetParamNames($)
 
 =head1 C<GetParam()>
 
-This thunks to CGI::param() and thus takes the same arguments list.
+This thunks to CGI::param() and thus takes the same arguments list but forces
+the result to scalar context to avoid security issues.
+To get the list of parameter names use GetParamNames().
 
 =back
 =cut
@@ -86,7 +88,7 @@ sub GetParam($@)
 {
   my $self = shift;
 
-  return $self->{CGIObj}->param(@_);
+  return scalar($self->{CGIObj}->param(@_));
 }
 
 sub CGI($)