From: Simon McVittie <smcv@debian.org>
Date: Sat, 11 Oct 2014 08:28:22 +0000 (+0100)
Subject: Make sure we do not pass multiple CGI parameters in function calls
X-Git-Tag: debian/3.20141016~11
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/f4ec7b06d97c8406c5f5be7332ead2f28c271371?ds=sidebyside;hp=f4ec7b06d97c8406c5f5be7332ead2f28c271371

Make sure we do not pass multiple CGI parameters in function calls

When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
---