Make sure that the Env macro cannot be used to access objects or data references.
This commit is contained in:
Colin Kuskie
parent
c76f12d278
commit
2f15d87377
3 changed files with 16 additions and 10 deletions
|
|
@ -5,4 +5,5 @@
|
|||
- Added "hot sessions" so sessions interact with the database less.
|
||||
- Added Facebook Auth and FacebookLogin macro.
|
||||
- Removed the WebGUI statistics program and code.
|
||||
- Prevent Env Macro from being used to access objects in the environment - Thanks to Haarg
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,8 @@ Macro for displaying fields from the Session env hash.
|
|||
=head3 key
|
||||
|
||||
The key from the Session env hash to display. If the key doesn't exist,
|
||||
then undef will be returned.
|
||||
then the empty string will be returned. This does not allow objects or data references
|
||||
in the env hash to be accessed.
|
||||
|
||||
=cut
|
||||
|
||||
|
|
@ -33,7 +34,7 @@ then undef will be returned.
|
|||
sub process {
|
||||
my $session = shift;
|
||||
my $key = shift;
|
||||
return $session->request->env->{$key};
|
||||
return $session->request->env->{$key}.'';
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ use WebGUI::Test;
|
|||
use WebGUI::Session;
|
||||
use Data::Dumper;
|
||||
use WebGUI::Macro::Env;
|
||||
use Scalar::Util qw/blessed/;
|
||||
|
||||
use Test::More; # increment this value for each test you create
|
||||
|
||||
|
|
@ -26,22 +27,25 @@ my $session = WebGUI::Test->session;
|
|||
my %env = %{ $session->request->env };
|
||||
my @keys = keys %env;
|
||||
|
||||
my $numTests = 3 + scalar keys %env;
|
||||
|
||||
plan tests => $numTests;
|
||||
|
||||
my $output;
|
||||
|
||||
$output = WebGUI::Macro::Env::process($session, '');
|
||||
is($output, undef, 'null key');
|
||||
is($output, '', 'null key');
|
||||
|
||||
$output = WebGUI::Macro::Env::process($session, undef);
|
||||
is($output, undef, 'undef key');
|
||||
is($output, '', 'undef key');
|
||||
|
||||
$output = WebGUI::Macro::Env::process($session, 'KEY DOES NOT EXIST');
|
||||
is($output, undef, 'non existent key');
|
||||
is($output, '', 'non existent key');
|
||||
|
||||
foreach my $key (keys %env) {
|
||||
foreach my $key (@keys) {
|
||||
my $output = WebGUI::Macro::Env::process($session, $key);
|
||||
is($output, $env{$key}, 'Fetching: '.$key);
|
||||
}
|
||||
|
||||
##Checking for object access
|
||||
$session->request->env->{'webgui.session'} = $session;
|
||||
my $neo_session = WebGUI::Macro::Env::process($session, 'webgui.session');
|
||||
ok ! ref $neo_session, 'did not get a reference back';
|
||||
|
||||
done_testing;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue