View on
Scott R. Godin > CGI-NoPoison-3.11 > CGI::NoPoison



Annotate this POD


New  1
Open  0
View/Report Bugs
Module Version: 3.11   Source  


CGI::NoPoison - No Poison Null Byte in CGI->Vars


        use CGI;
        use CGI::NoPoison

        my $m = CGI->new();
                -value=>['nine', 'ten', 'up to eleven'],
        my %h = $m->Vars();
        # look ma, no splitting on poison null-bytes ( '\0' )!
        print "$_ => ", join ", ", @{$h{$_}} for keys %h;
        print "This one goes ", ($m->param('amplifier'))[2];


Simplicity itself. Instead of using a null-byte to separate multi-valued fields why not just use what already uses to store the values internally?

"What's that?", you ask? Why, it's an anonymous array, of course, like anyone sensible would use. may have been fine years and years ago, but this now-archaic throwback no longer needs us to bow to its demands. (is anyone still actually using it? yikes.)

This does, however change how you parse CGI->Vars() (as an anon-array, not a \0-packed string) and also how you set params.

NOW you can properly test for inserted null-bytes in a secure environment WHILE taking advantage of the convenience of the Vars() function.


Include the 'use CGI::NoPoison' only after you've already done 'use CGI' so that it can replace the AUTOLOAD routines with these replacement functions instead.

(By the way, the internal functions that we replace are: CGI::SplitParam, CGI::STORE, and CGI::FETCH, not that you'd actually ever use these directly :)

Then, all you have to do is remember that anywhere you would have previously used \0 to split on, or to string-pack, just take an array reference, or use an anonymous array instead. See the CGI module documentation for details.


None so far. :)

Well, this may actually be a pretty wonky way of replacing those functions in, but hey, it worked here. YMMV. :D


Yer on yer own with this one. Hopefully Lincoln Stein will get around to adding this as a -nopoison pragma to at some point.


        Scott R. Godin
        Laughing Dragon Services


This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

The full text of the license can be found in the LICENSE file included with this module.

SEE ALSO ^ ( or message-id <> )

Google around for "poison null byte"

CGI, perlref

syntax highlighting: