X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Runtime.git;a=blobdiff_plain;f=lib%2FCatalyst%2FRequest.pm;h=523c3f2169f8452db794d3359e1a0cf0e7b4a0b6;hp=cdaa173ca8232f6e38926f332942b7bef06a2408;hb=eb1f418b9ee46e9d6a10a0858a7da72ca0343760;hpb=c0d561c143f688e7fb322fcf0b2e8ca64022e7d8

diff --git a/lib/Catalyst/Request.pm b/lib/Catalyst/Request.pm
index cdaa173..523c3f2 100644
--- a/lib/Catalyst/Request.pm
+++ b/lib/Catalyst/Request.pm
@@ -11,6 +11,8 @@ use Stream::Buffered;
 use Hash::MultiValue;
 use Scalar::Util;
 use HTTP::Body;
+use Catalyst::Exception;
+use Catalyst::Request::PartData;
 use Moose;
 
 use namespace::clean -except => 'meta';
@@ -118,7 +120,11 @@ has body_data => (
 
 sub _build_body_data {
     my ($self) = @_;
-    my $content_type = $self->content_type;
+
+    # Not sure if these returns should not be exceptions...
+    my $content_type = $self->content_type || return;
+    return unless ($self->method eq 'POST' || $self->method eq 'PUT');
+
     my ($match) = grep { $content_type =~/$_/i }
       keys(%{$self->data_handlers});
 
@@ -127,7 +133,7 @@ sub _build_body_data {
       local $_ = $fh;
       return $self->data_handlers->{$match}->($fh, $self);
     } else { 
-      return undef;
+      Catalyst::Exception->throw("$content_type is does not have an available data handler");
     }
 }
 
@@ -174,6 +180,7 @@ has body_parameters => (
   is => 'rw',
   required => 1,
   lazy => 1,
+  predicate => 'has_body_parameters',
   builder => 'prepare_body_parameters',
 );
 
@@ -286,7 +293,10 @@ sub prepare_body {
     # Check for definedness as you could read '0'
     while ( defined ( my $chunk = $self->read() ) ) {
         $self->prepare_body_chunk($chunk);
-        $stream_buffer->print($chunk) if $stream_buffer;
+        next unless $stream_buffer;
+
+        $stream_buffer->print($chunk)
+            || die sprintf "Failed to write %d bytes to psgi.input file: $!", length( $chunk );
     }
 
     # Ok, we read the body.  Lets play nice for any PSGI app down the pipe
@@ -313,14 +323,31 @@ sub prepare_body_chunk {
 
 sub prepare_body_parameters {
     my ( $self, $c ) = @_;
-
+    return $self->body_parameters if $self->has_body_parameters;
     $self->prepare_body if ! $self->_has_body;
 
     unless($self->_body) {
-      return $self->_use_hash_multivalue ? Hash::MultiValue->new : {};
+      my $return = $self->_use_hash_multivalue ? Hash::MultiValue->new : {};
+      $self->body_parameters($return);
+      return $return;
     }
 
-    my $params = $self->_body->param;
+    my $params;
+    my %part_data = %{$self->_body->part_data};
+    if(scalar %part_data && !$c->config->{skip_complex_post_part_handling}) {
+      foreach my $key (keys %part_data) {
+        my $proto_value = $part_data{$key};
+        my ($val, @extra) = (ref($proto_value)||'') eq 'ARRAY' ? @$proto_value : ($proto_value);
+
+        if(@extra) {
+          $params->{$key} = [map { Catalyst::Request::PartData->build_from_part_data($_) } ($val,@extra)];
+        } else {
+          $params->{$key} = Catalyst::Request::PartData->build_from_part_data($val);
+        }
+      }
+    } else {
+      $params = $self->_body->param;
+    }
 
     # If we have an encoding configured (like UTF-8) in general we expect a client
     # to POST with the encoding we fufilled the request in. Otherwise don't do any
@@ -336,13 +363,16 @@ sub prepare_body_parameters {
     #
     # I need to see if $c is here since this also doubles as a builder for the object :(
 
-    if($c and $c->encoding) {
+    if($c and $c->encoding and !$c->config->{skip_body_param_unicode_decoding}) {
         $params = $c->_handle_unicode_decoding($params);
     }
 
-    return $self->_use_hash_multivalue ?
+    my $return = $self->_use_hash_multivalue ?
         Hash::MultiValue->from_mixed($params) :
         $params;
+
+    $self->body_parameters($return) unless $self->has_body_parameters;
+    return $return;
 }
 
 sub prepare_connection {
@@ -522,6 +552,13 @@ data of the type 'application/json' and return access to that data via this
 method.  You may define addition data_handlers via a global configuration
 setting.  See L<Catalyst\DATA HANDLERS> for more information.
 
+If the POST is malformed in some way (such as undefined or not content that
+matches the content-type) we raise a L<Catalyst::Exception> with the error
+text as the message.
+
+If the POSTed content type does not match an available data handler, this
+will also raise an exception.
+
 =head2 $req->body_parameters
 
 Returns a reference to a hash containing body (POST) parameters. Values can
@@ -532,6 +569,11 @@ be either a scalar or an arrayref containing scalars.
 
 These are the parameters from the POST part of the request, if any.
 
+B<NOTE> If your POST is multipart, but contains non file upload parts (such
+as an line part with an alternative encoding or content type) we cannot determine
+the correct way to extra a meaningful value from the upload.  In this case any
+part like this will be represented as an instance of L<Catalyst::Request::PartData>.
+
 =head2 $req->body_params
 
 Shortcut for body_parameters.
@@ -656,6 +698,60 @@ If multiple C<baz> parameters are provided this code might corrupt data or
 cause a hash initialization error. For a more straightforward interface see
 C<< $c->req->parameters >>.
 
+B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
+are known to cause demonstrated exploits. It is highly recommended that you
+avoid using this method, and migrate existing code away from it.  Here's a
+whitepaper of the exploit:
+
+L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
+
+B<NOTE> Further discussion on IRC indicate that the L<Catalyst> core team from 'back then'
+were well aware of this hack and this is the main reason we added the new approach to
+getting parameters in the first place.
+
+Basically this is an exploit that takes advantage of how L<\param> will do one thing
+in scalar context and another thing in list context.  This is combined with how Perl
+chooses to deal with duplicate keys in a hash definition by overwriting the value of
+existing keys with a new value if the same key shows up again.  Generally you will be
+vulnerable to this exploit if you are using this method in a direct assignment in a
+hash, such as with a L<DBIx::Class> create statement.  For example, if you have
+parameters like:
+
+    user?user=123&foo=a&foo=user&foo=456
+
+You could end up with extra parameters injected into your method calls:
+
+    $c->model('User')->create({
+      user => $c->req->param('user'),
+      foo => $c->req->param('foo'),
+    });
+
+Which would look like:
+
+    $c->model('User')->create({
+      user => 123,
+      foo => qw(a user 456),
+    });
+
+(or to be absolutely clear if you are not seeing it):
+
+    $c->model('User')->create({
+      user => 456,
+      foo => 'a',
+    });
+
+Possible remediations include scrubbing your parameters with a form validator like
+L<HTML::FormHandler> or being careful to force scalar context using the scalar
+keyword:
+
+    $c->model('User')->create({
+      user => scalar($c->req->param('user')),
+      foo => scalar($c->req->param('foo')),
+    });
+
+Upcoming versions of L<Catalyst> will disable this interface by default and require
+you to positively enable it should you require it for backwards compatibility reasons.
+
 =cut
 
 sub param {