Peter Sergeant > CatalystX-RequestRole-StrictParams-0.02 > CatalystX::RequestRole::StrictParams

Download:
CatalystX-RequestRole-StrictParams-0.02.tar.gz

Dependencies

Annotate this POD

View/Report Bugs
Module Version: 0.02   Source  

NAME ^

CatalystX::RequestRole::StrictParams - Insist users specify HTTP method for form parameters

VERSION ^

version 0.02

DESCRIPTION ^

Insist users specify HTTP method for form parameters

SYNOPSIS ^

    package MyApp;

    use base 'Catalyst';
    use Catalyst;
    use CatalystX::RoleApplicator;

    __PACKAGE__->apply_request_class_roles('CatalystX::RequestRole::StrictParams');

EXPLANATION ^

Perl wrappers around the CGI protocol frequently make it too easy to write exploitable code by conflating GET and POST parameters. Implementers instead should be considering whether a given request is retrieving (GET) or modifying (POST) data.

This role removes access to params, parameters and param from Catalyst request objects, forcing users to use body_parameters and query_parameters instead.

WARNING ^

Cross-site Scripting vulnerabilities are easy to introduce, and often subtle. While using this module reduces the threat surface a little, it in no way provides general protection from all (or maybe even most) attacks.

SPONSORED BY ^

Initial development sponsored by NET-A-PORTER http://www.net-a-porter.com/, through their generous open-source support.

AUTHOR ^

Peter Sergeant - pete@clueball.com

syntax highlighting: