X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Runtime.git;a=blobdiff_plain;f=lib%2FCatalyst%2FRequest.pm;h=56dfb65cd82dce2be27823644a34d72053e83b61;hp=f5232b91ed3fcc60f3dba0a3705082c14504821d;hb=f384c84887409fd343be4751b40a232ebf224b5c;hpb=0810283f5e3c710d09ab56ceb8fb0b6bfbe3bbe9

diff --git a/lib/Catalyst/Request.pm b/lib/Catalyst/Request.pm
index f5232b9..56dfb65 100644
--- a/lib/Catalyst/Request.pm
+++ b/lib/Catalyst/Request.pm
@@ -636,8 +636,10 @@ If multiple C<baz> parameters are provided this code might corrupt data or
 cause a hash initialization error. For a more straightforward interface see
 C<< $c->req->parameters >>.
 
-B<NOTE> A recently discovered exploit in L<CGI> style param methods does exist
-in L<Catalyst>.  Here's the whitepaper of the exploit:
+B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
+are now known to cause demonstrated exploits. It is highly recommended that you
+avoid using this method, and migrate existing code away from it.  Here's the
+whitepaper of the exploit:
 
 L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
 
@@ -681,6 +683,9 @@ keyword:
       foo => scalar($c->req->param('foo')),
     });
 
+Upcoming versions of L<Catalyst> will disable this interface by default and require
+you to positively enable it should you require it for backwards compatibility reasons.
+
 =cut
 
 sub param {