On Thu, 1 Mar 2012, RS Tech wrote: > A client just sent me a web security report for a Mason-based site I > built for him a while ago (Mason 1.38). The report, which was generated > by HP WebInspect, complains that form scripts on the site are not > distinguishing between POST and GET parameters. A summary of the problem > is provided, explaining that 'collapsing' POST and GET params into a > single collection exposes the site to XSS and other attacks.
Basically every web framework in the world does this (at least in the Perl world). You _can_, if you like, distinguish between the two by using the underlying API (CGI.pm, mod_perl's Apache2::Request, Catalyst::Request). I think the issue here is not so much the collapsing the parameters, but whether you can use a get request to submit a form, for example. In other words, does this work ... <img src="/bad/action?x=42" /> The way to avoid this is to make a point of distinguishing between GET and POST when handling form submissions. This issue really isn't specific to Mason, though if you use Mason exclusively (as opposed to as part of Catalyst/Dancer/etc) you'll get no help in handling this. With Catalyst and Catalyst::Action::REST, it's trivial to designate controller actions that can only be reached via POST. In other words, dispatching can be done based on a combination of URI and HTTP method, rather than just the URI. You can fake this in Mason with something like this ... <%init> dont_accept_request() unless $r->method eq 'POST'; handle_form_submission(); </%init> Just make sure that every form handling component goes through this logic (an autohandler is your friend). But I'll say for the millionth time, I think something like Catalyst is much better for the controller/dispatch side of things, and this is one reason among many. -dave /*============================================================ http://VegGuide.org http://blog.urth.org Your guide to all that's veg House Absolute(ly Pointless) ============================================================*/ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
