X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Runtime.git;a=blobdiff_plain;f=lib%2FCatalyst%2FRequest.pm;h=c0d9fcaf2ecdc2ffcbaeddc2d82d756465467015;hp=5e5730593328d2acb250004f82d88f40913f1e1a;hb=ac1cf8d417b2f21cfd997b8cc7756e2bb36dedc7;hpb=8570b50e7fa3aaaaa55a9bc7d95cfe169555397b

diff --git a/lib/Catalyst/Request.pm b/lib/Catalyst/Request.pm
index 5e57305..c0d9fca 100644
--- a/lib/Catalyst/Request.pm
+++ b/lib/Catalyst/Request.pm
@@ -669,12 +669,16 @@ cause a hash initialization error. For a more straightforward interface see
 C<< $c->req->parameters >>.
 
 B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
-are now known to cause demonstrated exploits. It is highly recommended that you
-avoid using this method, and migrate existing code away from it.  Here's the
+are known to cause demonstrated exploits. It is highly recommended that you
+avoid using this method, and migrate existing code away from it.  Here's a
 whitepaper of the exploit:
 
 L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
 
+B<NOTE> Further discussion on IRC indicate that the L<Catalyst> core team from 'back then'
+were well aware of this hack and this is the main reason we added the new approach to
+getting parameters in the first place.
+
 Basically this is an exploit that takes advantage of how L<\param> will do one thing
 in scalar context and another thing in list context.  This is combined with how Perl
 chooses to deal with duplicate keys in a hash definition by overwriting the value of