use Stream::Buffered;
use Hash::MultiValue;
use Scalar::Util;
-
+use HTTP::Body;
use Moose;
use namespace::clean -except => 'meta';
with 'MooseX::Emulate::Class::Accessor::Fast';
-has env => (is => 'ro', writer => '_set_env', predicate => 'has_env');
+has env => (is => 'ro', writer => '_set_env', predicate => '_has_env');
# XXX Deprecated crap here - warn?
has action => (is => 'rw');
# XXX: Deprecated in docs ages ago (2006), deprecated with warning in 5.8000 due
has match => (is => 'rw');
has method => (is => 'rw');
has protocol => (is => 'rw');
-has query_parameters => (is => 'rw', default => sub { {} });
+has query_parameters => (is => 'rw', lazy=>1, default => sub { shift->_use_hash_multivalue ? Hash::MultiValue->new : +{} });
has secure => (is => 'rw', default => 0);
has captures => (is => 'rw', default => sub { [] });
has uri => (is => 'rw', predicate => 'has_uri');
has io_fh => (
is=>'ro',
- predicate=>'has_io_fh',
+ predicate=>'_has_io_fh',
lazy=>1,
builder=>'_build_io_fh');
}
}
+has _use_hash_multivalue => (
+ is=>'ro',
+ required=>1,
+ default=> sub {0});
+
# Amount of data to read from input on each pass
our $CHUNKSIZE = 64 * 1024;
my $body_parameters = $self->body_parameters;
my $query_parameters = $self->query_parameters;
- ## setup for downstream plack
- $self->env->{'plack.request.merged'} ||= do {
- my $query = $self->env->{'plack.request.query'} || Hash::MultiValue->new;
- my $body = $self->env->{'plack.request.body'} || Hash::MultiValue->new;
- Hash::MultiValue->new($query->flatten, $body->flatten);
- };
+ if($self->_use_hash_multivalue) {
+ return Hash::MultiValue->new($query_parameters->flatten, $body_parameters->flatten);
+ }
# We copy, no references
foreach my $name (keys %$query_parameters) {
# If previously applied middleware created the HTTP::Body object, then we
# just use that one.
- if(my $plack_body = $self->env->{'plack.request.http.body'}) {
+ if(my $plack_body = $self->_has_env ? $self->env->{'plack.request.http.body'} : undef) {
$self->_body($plack_body);
$self->_body->cleanup(1);
return;
}
- # Define PSGI ENV placeholders, or for empty should there be no content
- # body (typical in HEAD or GET). Looks like from Plack::Request that
- # middleware would probably expect to see this, even if empty
-
- $self->env->{'plack.request.body'} = Hash::MultiValue->new;
- $self->env->{'plack.request.upload'} = Hash::MultiValue->new;
-
# If there is nothing to read, set body to naught and return. This
# will cause all body code to be skipped
$self->env->{'psgi.input'}->seek(0, 0); # Reset the buffer for downstream middleware or apps
}
- $self->env->{'plack.request.http.body'} = $self->_body;
- $self->env->{'plack.request.body'} = Hash::MultiValue->from_mixed($self->_body->param);
-
# paranoia against wrong Content-Length header
my $remaining = $length - $self->_read_position;
if ( $remaining > 0 ) {
}
sub prepare_body_parameters {
- my ( $self ) = @_;
+ my ( $self, $c ) = @_;
$self->prepare_body if ! $self->_has_body;
- return {} unless $self->_body;
- return $self->_body->param;
+ unless($self->_body) {
+ return $self->_use_hash_multivalue ? Hash::MultiValue->new : {};
+ }
+
+ my $params = $self->_body->param;
+
+ # If we have an encoding configured (like UTF-8) in general we expect a client
+ # to POST with the encoding we fufilled the request in. Otherwise don't do any
+ # encoding (good change wide chars could be in HTML entity style llike the old
+ # days -JNAP
+
+ # so, now that HTTP::Body prepared the body params, we gotta 'walk' the structure
+ # and do any needed decoding.
+
+ # This only does something if the encoding is set via the encoding param. Remember
+ # this is assuming the client is not bad and responds with what you provided. In
+ # general you can just use utf8 and get away with it.
+ #
+ # I need to see if $c is here since this also doubles as a builder for the object :(
+
+ if($c and $c->encoding) {
+ $params = $c->_handle_unicode_decoding($params);
+ }
+
+ return $self->_use_hash_multivalue ?
+ Hash::MultiValue->from_mixed($params) :
+ $params;
}
sub prepare_connection {
$req->uri;
$req->user;
$req->user_agent;
+ $req->env;
See also L<Catalyst>, L<Catalyst::Request::Upload>.
cause a hash initialization error. For a more straightforward interface see
C<< $c->req->parameters >>.
+B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
+are now known to cause demonstrated exploits. It is highly recommended that you
+avoid using this method, and migrate existing code away from it. Here's the
+whitepaper of the exploit:
+
+L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
+
+Basically this is an exploit that takes advantage of how L<\param> will do one thing
+in scalar context and another thing in list context. This is combined with how Perl
+chooses to deal with duplicate keys in a hash definition by overwriting the value of
+existing keys with a new value if the same key shows up again. Generally you will be
+vulnerale to this exploit if you are using this method in a direct assignment in a
+hash, such as with a L<DBIx::Class> create statement. For example, if you have
+parameters like:
+
+ user?user=123&foo=a&foo=user&foo=456
+
+You could end up with extra parameters injected into your method calls:
+
+ $c->model('User')->create({
+ user => $c->req->param('user'),
+ foo => $c->req->param('foo'),
+ });
+
+Which would look like:
+
+ $c->model('User')->create({
+ user => 123,
+ foo => qw(a user 456),
+ });
+
+(or to be absolutely clear if you are not seeing it):
+
+ $c->model('User')->create({
+ user => 456,
+ foo => 'a',
+ });
+
+Possible remediations include scrubbing your parameters with a form validator like
+L<HTML::FormHandler> or being careful to force scalar context using the scalar
+keyword:
+
+ $c->model('User')->create({
+ user => scalar($c->req->param('user')),
+ foo => scalar($c->req->param('foo')),
+ });
+
+Upcoming versions of L<Catalyst> will disable this interface by default and require
+you to positively enable it should you require it for backwards compatibility reasons.
+
=cut
sub param {
return keys %{ $self->parameters };
}
- if ( @_ == 1 ) {
+ # If anything in @_ is undef, carp about that, and remove it from
+ # the list;
+
+ my @params = grep { defined($_) ? 1 : do {carp "You called ->params with an undefined value"; 0} } @_;
- my $param = shift;
+ if ( @params == 1 ) {
+
+ defined(my $param = shift @params) ||
+ carp "You called ->params with an undefined value 2";
unless ( exists $self->parameters->{$param} ) {
return wantarray ? () : undef;
: $self->parameters->{$param};
}
}
- elsif ( @_ > 1 ) {
- my $field = shift;
- $self->parameters->{$field} = [@_];
+ elsif ( @params > 1 ) {
+ my $field = shift @params;
+ $self->parameters->{$field} = [@params];
}
}
next unless defined $value;
for ( ref $value eq 'ARRAY' ? @$value : $value ) {
$_ = "$_";
- utf8::encode( $_ ) if utf8::is_utf8($_);
+ # utf8::encode($_);
}
};
If parameters have already been set will clear the parameters and build them again.
+=head2 $self->env
+
+Access to the raw PSGI env.
=head2 meta