Hi guys,
In the code for Dancer2::Plugin::Auth::Extensible I see the following:
# For security, ensure the username and password are straight
# scalars; if the app is using a serializer and we were sent a
# blob of JSON, they could have come from that JSON, and thus
# could be hashrefs (JSON SQL injection) - for database providers,
# feeding a carefully crafted hashref to the SQL builder could
# result in different SQL to what we'd expect.
That all makes sense. However, from what I understand, auto-serializing
now happens either for all request or for none. Therefore, are these
sort of checks required when running a recent version of Dancer2? Or is
it just the case that they should remain there in case an older version
of Dancer2 is being used?
Thanks,
Andy
_______________________________________________
dancer-users mailing list
[email protected]
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
