[Tools 2/2] testbot: Force CGI::param() to scalar context for security.

Francois Gouget fgouget at codeweavers.com
Mon Jun 19 02:06:49 CDT 2017

Otherwise a call like foo($Page->GetParam("Name")) can end up passing
extra arguments to foo() if the URL contains multiple instances of
'Name'. The situation is even worse if one uses named parameters.
No code depended on being able to get multiple values and the only
place that used CGI:param() to get the list of parameter names is
already using Page::GetParameterNames().

Signed-off-by: Francois Gouget <fgouget at codeweavers.com>

This fixes warnings in the Apache log.

See also:

 testbot/lib/ObjectModel/CGI/Page.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/testbot/lib/ObjectModel/CGI/Page.pm b/testbot/lib/ObjectModel/CGI/Page.pm
index 1fb2ca32..50598bfa 100644
--- a/testbot/lib/ObjectModel/CGI/Page.pm
+++ b/testbot/lib/ObjectModel/CGI/Page.pm
@@ -77,7 +77,9 @@ sub GetParamNames($)
 =head1 C<GetParam()>
-This thunks to CGI::param() and thus takes the same arguments list.
+This thunks to CGI::param() and thus takes the same arguments list but forces
+the result to scalar context to avoid security issues.
+To get the list of parameter names use GetParamNames().
@@ -86,7 +88,7 @@ sub GetParam($@)
   my $self = shift;
-  return $self->{CGIObj}->param(@_);
+  return scalar($self->{CGIObj}->param(@_));
 sub CGI($)

More information about the wine-patches mailing list