Bug 15809: Redefine multi_param is CGI < 4.08 is used

On debian Jessie, the CGI version is >= 4.08
Since this version, the param method raise a warning
"CGI::param called in list context".
Indeed, it can cause vulnerability if called in list context

https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/

There is a long journey to get rid of these warnings.
First I suggest to redefine the multi_param method when the CGI version
 installed is < 4.08, it will allow us to move the wrong ->param calls to
 ->multi_param without waiting for everybody to upgrade.

The different ways to call these 2 methods are:

my $foo = $cgi->param('foo'); # OK

my @foo = $cgi->param('foo'); # NOK, will raise the warning
my @foo = $cgi->multi_param('foo'); #OK

$template->param( foo => $cgi->param('foo') ); # NOK, will raise the warning
                                               # and vulnerable
$template->param( foo => scalar $cgi->param('foo') ); # OK

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested a call to multi_param with CGI < 4.08.
With reference to the comments on Bugzilla, this workaround is arguable,
but provides a base to move to multi_param. If we come up with a better
solution, it should be easy to adjust.

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
(cherry picked from commit 94dde6b48d6e20a5260ea49f9b98ec884c2c25b5)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 279732365eb07bf9f9929402aadd837c16f131b6)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

diff --git a/C4/Context.pm b/C4/Context.pm
index 24368e1..18b3686 100644 (file)
--- a/C4/Context.pm
+++ b/C4/Context.pm
@@ -76,6 +76,15 @@ BEGIN {
                if ($ENV{KOHA_BACKTRACES}) {
                        $main::SIG{__DIE__} = \&CGI::Carp::confess;
                }
+
+        # Redefine multi_param if cgi version is < 4.08
+        # Remove the "CGI::param called in list context" warning in this case
+        if (!defined($CGI::VERSION) || $CGI::VERSION < 4.08) {
+            no warnings 'redefine';
+            *CGI::multi_param = \&CGI::param;
+            use warnings 'redefine';
+            $CGI::LIST_CONTEXT_WARN = 0;
+        }
     }          # else there is no browser to send fatals to!
 
     # Check if there are memcached servers set