X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FRequest.pm;h=0cfcbae1c3cc583723dea6507ce508e25760a246;hb=2a2b8f6504e0e8adc7d7b78435ffdcd27c37fc15;hp=671dd51e4368360260818c7a7add45624329ef27;hpb=b94f8e72c1c8e8348efc0eb96660dd977a838ea7;p=catagits%2FCatalyst-Runtime.git diff --git a/lib/Catalyst/Request.pm b/lib/Catalyst/Request.pm index 671dd51..0cfcbae 100644 --- a/lib/Catalyst/Request.pm +++ b/lib/Catalyst/Request.pm @@ -10,6 +10,7 @@ use HTTP::Headers; use Stream::Buffered; use Hash::MultiValue; use Scalar::Util; +use HTTP::Body; use Catalyst::Exception; use Moose; @@ -316,7 +317,7 @@ sub prepare_body_chunk { } sub prepare_body_parameters { - my ( $self ) = @_; + my ( $self, $c ) = @_; $self->prepare_body if ! $self->_has_body; @@ -324,9 +325,29 @@ sub prepare_body_parameters { return $self->_use_hash_multivalue ? Hash::MultiValue->new : {}; } + my $params = $self->_body->param; + + # If we have an encoding configured (like UTF-8) in general we expect a client + # to POST with the encoding we fufilled the request in. Otherwise don't do any + # encoding (good change wide chars could be in HTML entity style llike the old + # days -JNAP + + # so, now that HTTP::Body prepared the body params, we gotta 'walk' the structure + # and do any needed decoding. + + # This only does something if the encoding is set via the encoding param. Remember + # this is assuming the client is not bad and responds with what you provided. In + # general you can just use utf8 and get away with it. + # + # I need to see if $c is here since this also doubles as a builder for the object :( + + if($c and $c->encoding) { + $params = $c->_handle_unicode_decoding($params); + } + return $self->_use_hash_multivalue ? - Hash::MultiValue->from_mixed($self->_body->param) : - $self->_body->param; + Hash::MultiValue->from_mixed($params) : + $params; } sub prepare_connection { @@ -510,7 +531,7 @@ If the POST is malformed in some way (such as undefined or not content that matches the content-type) we raise a L with the error text as the message. -If the POSTed content type does not match an availabled data handler, this +If the POSTed content type does not match an available data handler, this will also raise an exception. =head2 $req->body_parameters @@ -648,17 +669,21 @@ cause a hash initialization error. For a more straightforward interface see C<< $c->req->parameters >>. B Interfaces like this, which are based on L and the C method -are now known to cause demonstrated exploits. It is highly recommended that you -avoid using this method, and migrate existing code away from it. Here's the +are known to cause demonstrated exploits. It is highly recommended that you +avoid using this method, and migrate existing code away from it. Here's a whitepaper of the exploit: L +B Further discussion on IRC indicate that the L core team from 'back then' +were well aware of this hack and this is the main reason we added the new approach to +getting parameters in the first place. + Basically this is an exploit that takes advantage of how L<\param> will do one thing in scalar context and another thing in list context. This is combined with how Perl chooses to deal with duplicate keys in a hash definition by overwriting the value of existing keys with a new value if the same key shows up again. Generally you will be -vulnerale to this exploit if you are using this method in a direct assignment in a +vulnerable to this exploit if you are using this method in a direct assignment in a hash, such as with a L create statement. For example, if you have parameters like: @@ -938,7 +963,7 @@ sub mangle_params { next unless defined $value; for ( ref $value eq 'ARRAY' ? @$value : $value ) { $_ = "$_"; - utf8::encode( $_ ) if utf8::is_utf8($_); + # utf8::encode($_); } };