Somewhere in your code, something calls $cgi->param('foo'), but allows it to return more than one parameter. The line could look like:

my @foos= $cgi->param('foo');
[download]

or

print_results( foo => $cgi->param('foo'), is_admin => 0 );
[download]

The second form is the problematic form, because $cgi->param('foo') could return more than one item but nothing in your code expects that. The most likely fix is to change that line to:

print_results( foo => scalar($cgi->param('foo')), is_admin => 0 );
[download]

Thanks! Can you explain how this could be exploited, is there a quick way to test? I would better understand how this could be exploited so we can change the code. Thanks

Look again at the example I gave in my above code. Submitting more than one value for foo allows you to swap keys and values in the call to the function or to insert additional keys into the call.

For example if your code is

#!perl -w
use strict;
use CGI;
use Data::Dumper;

sub do_foo {
    my( %params )= @_;
    print Dumper \%params;
    if( $params{ is_admin }) {
        print "Is admin\n";
    } else {
        print "No admin\n";
    };
};

my $q= CGI->new();
do_foo( is_admin => 0, foo => $q->param('foo') );
[download]

... then you can test various incantations from the command line:

perl -w test.pl foo=1
perl -w test.pl foo=bar
perl -w test.pl foo=0&foo=is_admin&foo=yeah&foo=another_parameter&foo=
+yippieh
[download]

> Can you explain how this could be exploited

See Stop Using Perl ff ...

Cheers Rolf
_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

PS: Je suis Charlie!

warnings will show you a line number, if you are only expecting a scalar to be returned use scalar like Corion showed.

But if you really expect multi values from http for the same element you should look into CGI for recommended workaround.¹

HTH! :)

¹) you can disable this warning by setting $CGI::LIST_CONTEXT_WARN to 0 or by using the multi_param() method instead

you can disable this warning by setting $CGI::LIST_CONTEXT_WARN to 0 or by using the multi_param() method instead

Nice to know, I wasn't aware of that change.

But: I would have expected a big fat warning (or at least a hint) right at the top of the documentation of CGI.pm. There is a warning that CGI.pm is no longer part of the Perl core, and another one deprecating HTML generating functions, but no obvious hint for experienced CGI.pm v3.x users. Sure, I could have read the Changes file, but I would expect API changes like this one to be announced in the main documentation.

To make things worse, the main documentation (still) has porting notes for the ancient cgi-lib.pl that hopefully nobody uses any more, but no notes for porting from the v3.x series to the v4.x series.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)