* Ovid <[EMAIL PROTECTED]> [2008-10-22 11:40]: > Because multiple parameters are supplied, the data structure > changes! All an attacker needs to do is is tack on a duplicate > parameter to a query string a see if the code crashes.
And if it does then what? The problem is largely benign, actually, from a security perspective. (Of course, all types of bugs can cause an existing potential security hole to manifest.) The fact that the app crashes is still a problem, though. That shouldn’t happen. That said: > There's an idea I've toyed with for Perl 6's CGI.pm and I think > it might prove useful for Catalyst: allow junctions for > request parameters. I don’t see the point of junctions here. Feel free to write Catalyst::Request::Junctional :-) but I don’t think that a junction-based API belongs in the Cat core. Maybe in Catasixt, but not in Cat-on-Perl 5. I outlined a proposal a long time ago of two different methods like the current `param`, one which always returned a single value (the last one if there are multiple) and one which always returned an arrayref. Then there could be no confusion and code would always get exactly what it was written to expect. Matt agreed but punted to volunteers, and none stepped up, me included, so it has yet to happen. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/