use Stream::Buffered;
use Hash::MultiValue;
use Scalar::Util;
+use HTTP::Body;
use Catalyst::Exception;
use Moose;
}
sub prepare_body_parameters {
- my ( $self ) = @_;
+ my ( $self, $c ) = @_;
$self->prepare_body if ! $self->_has_body;
return $self->_use_hash_multivalue ? Hash::MultiValue->new : {};
}
+ my $params = $self->_body->param;
+
+ # If we have an encoding configured (like UTF-8) in general we expect a client
+ # to POST with the encoding we fufilled the request in. Otherwise don't do any
+ # encoding (good change wide chars could be in HTML entity style llike the old
+ # days -JNAP
+
+ # so, now that HTTP::Body prepared the body params, we gotta 'walk' the structure
+ # and do any needed decoding.
+
+ # This only does something if the encoding is set via the encoding param. Remember
+ # this is assuming the client is not bad and responds with what you provided. In
+ # general you can just use utf8 and get away with it.
+ #
+ # I need to see if $c is here since this also doubles as a builder for the object :(
+
+ if($c and $c->encoding) {
+ $params = $c->_handle_unicode_decoding($params);
+ }
+
return $self->_use_hash_multivalue ?
- Hash::MultiValue->from_mixed($self->_body->param) :
- $self->_body->param;
+ Hash::MultiValue->from_mixed($params) :
+ $params;
}
sub prepare_connection {
matches the content-type) we raise a L<Catalyst::Exception> with the error
text as the message.
-If the POSTed content type does not match an availabled data handler, this
+If the POSTed content type does not match an available data handler, this
will also raise an exception.
=head2 $req->body_parameters
C<< $c->req->parameters >>.
B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
-are now known to cause demonstrated exploits. It is highly recommended that you
-avoid using this method, and migrate existing code away from it. Here's the
+are known to cause demonstrated exploits. It is highly recommended that you
+avoid using this method, and migrate existing code away from it. Here's a
whitepaper of the exploit:
L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
+B<NOTE> Further discussion on IRC indicate that the L<Catalyst> core team from 'back then'
+were well aware of this hack and this is the main reason we added the new approach to
+getting parameters in the first place.
+
Basically this is an exploit that takes advantage of how L<\param> will do one thing
in scalar context and another thing in list context. This is combined with how Perl
chooses to deal with duplicate keys in a hash definition by overwriting the value of
existing keys with a new value if the same key shows up again. Generally you will be
-vulnerale to this exploit if you are using this method in a direct assignment in a
+vulnerable to this exploit if you are using this method in a direct assignment in a
hash, such as with a L<DBIx::Class> create statement. For example, if you have
parameters like:
next unless defined $value;
for ( ref $value eq 'ARRAY' ? @$value : $value ) {
$_ = "$_";
- utf8::encode( $_ ) if utf8::is_utf8($_);
+ # utf8::encode($_);
}
};