LP1895660: EGCatLoader/Search.pm
CGI::param called in list context from ...
this can lead to vulnerabilities
For any call to $cgi->param that happens in a list context we need
to verify 2 things: 1, that it is intentional (otherwise use scalar())
and 2, that we don't use the results in an unsafe manner.
For those situations where it's safe and a list is expected (join,
foreach, etc.) there is a $cgi->multi_param() that behaves the same way
but does not issue a warning on use in a list context.
An assumption was made that there will only be a single 'query'
parameter (see _prepare_biblio_search_basics) but if that should
instead be run through a join() that function will need to be updated.
For more details about the potential issues read
https://metacpan.org/pod/distribution/CGI/lib/CGI.pod#Fetching-the-value-or-values-of-a-single-named-parameter
Note that this change will likely require additional testing to
be sure there are no surprises.
Signed-off-by: Jason Boyer <JBoyer@equinoxinitiative.org>
projects / working / Evergreen.git / commit