# This file documents the revision history for Perl extension Catalyst.
+5.90079.06 - 2015-01-02
+ - Removed unneeded depdency on RenderView in new test case that was causing fails
+ on CPAN testers that did not just happen to have that dependency already installed
+ - Updated copyright notices to 2015
+ - Documentation patches around the setup methods and clarification on on security
+ note posted a few months ago.
+ - Added my name to the contributors list
+
5.90079_005 - 2014-12-31
- Merged changes from 5.90078
- If configuration 'using_frontend_proxy' is set, we add the correct middleware
__PACKAGE__->_encode_check(Encode::FB_CROAK | Encode::LEAVE_SRC);
# Remember to update this in Catalyst::Runtime as well!
-our $VERSION = '5.90079_005';
+our $VERSION = '5.90079_006';
$VERSION = eval $VERSION if $VERSION =~ /_/; # numify for warning-free dev releases
sub import {
B<Note:> You B<should not> wrap this method with method modifiers
or bad things will happen - wrap the C<setup_finalize> method instead.
+B<Note:> You can create a custom setup stage that will execute when the
+application is starting. Use this to customize setup.
+
+ MyApp->setup(-Custom=value);
+
+ sub setup_custom {
+ my ($class, $value) = @_;
+ }
+
+Can be handy if you want to hook into the setup phase.
+
=cut
sub setup {
Upasana <me@upasana.me>
+John Napiorkowski (jnap) <jjnapiork@cpan.org>
+
=head1 COPYRIGHT
-Copyright (c) 2005-2014, the above named PROJECT FOUNDER and CONTRIBUTORS.
+Copyright (c) 2005-2015, the above named PROJECT FOUNDER and CONTRIBUTORS.
=head1 LICENSE
C<< $c->req->parameters >>.
B<NOTE> Interfaces like this, which are based on L<CGI> and the C<param> method
-are now known to cause demonstrated exploits. It is highly recommended that you
-avoid using this method, and migrate existing code away from it. Here's the
+are known to cause demonstrated exploits. It is highly recommended that you
+avoid using this method, and migrate existing code away from it. Here's a
whitepaper of the exploit:
L<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
+B<NOTE> Further discussion on IRC indicate that the L<Catalyst> core team from 'back then'
+were well aware of this hack and this is the main reason we added the new approach to
+getting parameters in the first place.
+
Basically this is an exploit that takes advantage of how L<\param> will do one thing
in scalar context and another thing in list context. This is combined with how Perl
chooses to deal with duplicate keys in a hash definition by overwriting the value of
# Remember to update this in Catalyst as well!
-our $VERSION = '5.90079_005';
+our $VERSION = '5.90079_006';
$VERSION = eval $VERSION if $VERSION =~ /_/; # numify for warning-free dev releases
=head1 NAME