From f4ec7b06d97c8406c5f5be7332ead2f28c271371 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sat, 11 Oct 2014 09:28:22 +0100 Subject: [PATCH 1/1] Make sure we do not pass multiple CGI parameters in function calls When CGI->param is called in list context, such as in function parameters, it expands to all the potentially multiple values of the parameter: for instance, if we parse query string a=b&a=c&d=e and call func($cgi->param('a')), that's equivalent to func('b', 'c'). Most of the functions we're calling do not expect that. I do not believe this is an exploitable security vulnerability in ikiwiki, but it was exploitable in Bugzilla. --- IkiWiki/Plugin/attachment.pm | 4 ++-- IkiWiki/Plugin/goto.pm | 2 +- IkiWiki/Plugin/inline.pm | 2 +- IkiWiki/Plugin/openid.pm | 2 +- IkiWiki/Plugin/poll.pm | 2 +- IkiWiki/Plugin/rename.pm | 8 ++++---- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/IkiWiki/Plugin/attachment.pm b/IkiWiki/Plugin/attachment.pm index d56dd18ad..fb8a6539e 100644 --- a/IkiWiki/Plugin/attachment.pm +++ b/IkiWiki/Plugin/attachment.pm @@ -132,7 +132,7 @@ sub formbuilder (@) { return if ! defined $form->field("do") || ($form->field("do") ne "edit" && $form->field("do") ne "create") ; - my $filename=Encode::decode_utf8($q->param('attachment')); + my $filename=Encode::decode_utf8(scalar $q->param('attachment')); if (defined $filename && length $filename) { attachment_store($filename, $form, $q, $params{session}); } @@ -142,7 +142,7 @@ sub formbuilder (@) { } if ($form->submitted eq "Insert Links") { - my $page=quotemeta(Encode::decode_utf8($q->param("page"))); + my $page=quotemeta(Encode::decode_utf8(scalar $q->param("page"))); my $add=""; foreach my $f ($q->param("attachment_select")) { $f=Encode::decode_utf8($f); diff --git a/IkiWiki/Plugin/goto.pm b/IkiWiki/Plugin/goto.pm index 6b596ac8b..3a946b19d 100644 --- a/IkiWiki/Plugin/goto.pm +++ b/IkiWiki/Plugin/goto.pm @@ -27,7 +27,7 @@ sub cgi_goto ($;$) { my $page = shift; if (!defined $page) { - $page = IkiWiki::decode_utf8($q->param("page")); + $page = IkiWiki::decode_utf8(scalar $q->param("page")); if (!defined $page) { error("missing page parameter"); diff --git a/IkiWiki/Plugin/inline.pm b/IkiWiki/Plugin/inline.pm index f578526cc..300941943 100644 --- a/IkiWiki/Plugin/inline.pm +++ b/IkiWiki/Plugin/inline.pm @@ -119,7 +119,7 @@ sub sessioncgi ($$) { my $session=shift; if ($q->param('do') eq 'blog') { - my $page=titlepage(decode_utf8($q->param('title'))); + my $page=titlepage(decode_utf8(scalar $q->param('title'))); $page=~s/(\/)/"__".ord($1)."__"/eg; # don't create subdirs # if the page already exists, munge it to be unique my $from=$q->param('from'); diff --git a/IkiWiki/Plugin/openid.pm b/IkiWiki/Plugin/openid.pm index 3b96e4b8e..63112d983 100644 --- a/IkiWiki/Plugin/openid.pm +++ b/IkiWiki/Plugin/openid.pm @@ -223,7 +223,7 @@ sub auth ($$) { } elsif (defined $q->param('openid_identifier')) { # myopenid.com affiliate support - validate($q, $session, $q->param('openid_identifier')); + validate($q, $session, scalar $q->param('openid_identifier')); } } diff --git a/IkiWiki/Plugin/poll.pm b/IkiWiki/Plugin/poll.pm index 3bd4af206..eb0e6ef04 100644 --- a/IkiWiki/Plugin/poll.pm +++ b/IkiWiki/Plugin/poll.pm @@ -99,7 +99,7 @@ sub sessioncgi ($$) { my $cgi=shift; my $session=shift; if (defined $cgi->param('do') && $cgi->param('do') eq "poll") { - my $choice=decode_utf8($cgi->param('choice')); + my $choice=decode_utf8(scalar $cgi->param('choice')); if (! defined $choice || not length $choice) { error("no choice specified"); } diff --git a/IkiWiki/Plugin/rename.pm b/IkiWiki/Plugin/rename.pm index f7ea21b53..6d56340b8 100644 --- a/IkiWiki/Plugin/rename.pm +++ b/IkiWiki/Plugin/rename.pm @@ -237,7 +237,7 @@ sub postrename ($$$;$$) { # on it. $oldcgi->param("editcontent", renamepage_hook($dest, $src, $dest, - $oldcgi->param("editcontent"))); + scalar $oldcgi->param("editcontent"))); # Get a new edit token; old was likely invalidated. $oldcgi->param("rcsinfo", @@ -297,7 +297,7 @@ sub sessioncgi ($$) { if ($q->param("do") eq 'rename') { my $session=shift; - my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8($q->param("page"))); + my ($form, $buttons)=rename_form($q, $session, Encode::decode_utf8(scalar $q->param("page"))); IkiWiki::decode_form_utf8($form); my $src=$form->field("page"); @@ -332,7 +332,7 @@ sub sessioncgi ($$) { IkiWiki::Plugin::attachment::is_held_attachment($src); if ($held) { rename($held, IkiWiki::Plugin::attachment::attachment_holding_location($dest)); - postrename($q, $session, $src, $dest, $q->param("attachment")) + postrename($q, $session, $src, $dest, scalar $q->param("attachment")) unless defined $srcfile; } @@ -438,7 +438,7 @@ sub sessioncgi ($$) { $renamesummary.=$template->output; } - postrename($q, $session, $src, $dest, $q->param("attachment")); + postrename($q, $session, $src, $dest, scalar $q->param("attachment")); } else { IkiWiki::showform($form, $buttons, $session, $q); -- 2.39.5