X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Runtime.git;a=blobdiff_plain;f=lib%2FCatalyst%2FRequest.pm;h=523c3f2169f8452db794d3359e1a0cf0e7b4a0b6;hp=0fe34b0b4a72297648840c78d2609b7ceef43be4;hb=eb1f418b9ee46e9d6a10a0858a7da72ca0343760;hpb=32ed98de51991a84501ab4d32ff4db4fb7f128ad diff --git a/lib/Catalyst/Request.pm b/lib/Catalyst/Request.pm index 0fe34b0..523c3f2 100644 --- a/lib/Catalyst/Request.pm +++ b/lib/Catalyst/Request.pm @@ -11,6 +11,8 @@ use Stream::Buffered; use Hash::MultiValue; use Scalar::Util; use HTTP::Body; +use Catalyst::Exception; +use Catalyst::Request::PartData; use Moose; use namespace::clean -except => 'meta'; @@ -118,7 +120,11 @@ has body_data => ( sub _build_body_data { my ($self) = @_; - my $content_type = $self->content_type; + + # Not sure if these returns should not be exceptions... + my $content_type = $self->content_type || return; + return unless ($self->method eq 'POST' || $self->method eq 'PUT'); + my ($match) = grep { $content_type =~/$_/i } keys(%{$self->data_handlers}); @@ -127,7 +133,7 @@ sub _build_body_data { local $_ = $fh; return $self->data_handlers->{$match}->($fh, $self); } else { - return undef; + Catalyst::Exception->throw("$content_type is does not have an available data handler"); } } @@ -174,6 +180,7 @@ has body_parameters => ( is => 'rw', required => 1, lazy => 1, + predicate => 'has_body_parameters', builder => 'prepare_body_parameters', ); @@ -286,7 +293,10 @@ sub prepare_body { # Check for definedness as you could read '0' while ( defined ( my $chunk = $self->read() ) ) { $self->prepare_body_chunk($chunk); - $stream_buffer->print($chunk) if $stream_buffer; + next unless $stream_buffer; + + $stream_buffer->print($chunk) + || die sprintf "Failed to write %d bytes to psgi.input file: $!", length( $chunk ); } # Ok, we read the body. Lets play nice for any PSGI app down the pipe @@ -313,14 +323,31 @@ sub prepare_body_chunk { sub prepare_body_parameters { my ( $self, $c ) = @_; - + return $self->body_parameters if $self->has_body_parameters; $self->prepare_body if ! $self->_has_body; unless($self->_body) { - return $self->_use_hash_multivalue ? Hash::MultiValue->new : {}; + my $return = $self->_use_hash_multivalue ? Hash::MultiValue->new : {}; + $self->body_parameters($return); + return $return; } - my $params = $self->_body->param; + my $params; + my %part_data = %{$self->_body->part_data}; + if(scalar %part_data && !$c->config->{skip_complex_post_part_handling}) { + foreach my $key (keys %part_data) { + my $proto_value = $part_data{$key}; + my ($val, @extra) = (ref($proto_value)||'') eq 'ARRAY' ? @$proto_value : ($proto_value); + + if(@extra) { + $params->{$key} = [map { Catalyst::Request::PartData->build_from_part_data($_) } ($val,@extra)]; + } else { + $params->{$key} = Catalyst::Request::PartData->build_from_part_data($val); + } + } + } else { + $params = $self->_body->param; + } # If we have an encoding configured (like UTF-8) in general we expect a client # to POST with the encoding we fufilled the request in. Otherwise don't do any @@ -336,13 +363,16 @@ sub prepare_body_parameters { # # I need to see if $c is here since this also doubles as a builder for the object :( - if($c and $c->encoding) { + if($c and $c->encoding and !$c->config->{skip_body_param_unicode_decoding}) { $params = $c->_handle_unicode_decoding($params); } - return $self->_use_hash_multivalue ? + my $return = $self->_use_hash_multivalue ? Hash::MultiValue->from_mixed($params) : $params; + + $self->body_parameters($return) unless $self->has_body_parameters; + return $return; } sub prepare_connection { @@ -522,6 +552,13 @@ data of the type 'application/json' and return access to that data via this method. You may define addition data_handlers via a global configuration setting. See L for more information. +If the POST is malformed in some way (such as undefined or not content that +matches the content-type) we raise a L with the error +text as the message. + +If the POSTed content type does not match an available data handler, this +will also raise an exception. + =head2 $req->body_parameters Returns a reference to a hash containing body (POST) parameters. Values can @@ -532,6 +569,11 @@ be either a scalar or an arrayref containing scalars. These are the parameters from the POST part of the request, if any. +B If your POST is multipart, but contains non file upload parts (such +as an line part with an alternative encoding or content type) we cannot determine +the correct way to extra a meaningful value from the upload. In this case any +part like this will be represented as an instance of L. + =head2 $req->body_params Shortcut for body_parameters. @@ -657,17 +699,21 @@ cause a hash initialization error. For a more straightforward interface see C<< $c->req->parameters >>. B Interfaces like this, which are based on L and the C method -are now known to cause demonstrated exploits. It is highly recommended that you -avoid using this method, and migrate existing code away from it. Here's the +are known to cause demonstrated exploits. It is highly recommended that you +avoid using this method, and migrate existing code away from it. Here's a whitepaper of the exploit: L +B Further discussion on IRC indicate that the L core team from 'back then' +were well aware of this hack and this is the main reason we added the new approach to +getting parameters in the first place. + Basically this is an exploit that takes advantage of how L<\param> will do one thing in scalar context and another thing in list context. This is combined with how Perl chooses to deal with duplicate keys in a hash definition by overwriting the value of existing keys with a new value if the same key shows up again. Generally you will be -vulnerale to this exploit if you are using this method in a direct assignment in a +vulnerable to this exploit if you are using this method in a direct assignment in a hash, such as with a L create statement. For example, if you have parameters like: