From 2f15d8737765b5ed41f61472d05075191e79d22e Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Sat, 11 Feb 2012 14:15:53 -0800
Subject: [PATCH] Make sure that the Env macro cannot be used to access objects
 or data references.

---
 docs/changelog/8.x.x.txt |  1 +
 lib/WebGUI/Macro/Env.pm  |  5 +++--
 t/Macro/Env.t            | 20 ++++++++++++--------
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/docs/changelog/8.x.x.txt b/docs/changelog/8.x.x.txt
index 15a0c6713..90ea1dae5 100644
--- a/docs/changelog/8.x.x.txt
+++ b/docs/changelog/8.x.x.txt
@@ -5,4 +5,5 @@
  - Added "hot sessions" so sessions interact with the database less.
  - Added Facebook Auth and FacebookLogin macro.
  - Removed the WebGUI statistics program and code.
+ - Prevent Env Macro from being used to access objects in the environment - Thanks to Haarg
 
diff --git a/lib/WebGUI/Macro/Env.pm b/lib/WebGUI/Macro/Env.pm
index cd94c8fdb..69a0859ec 100644
--- a/lib/WebGUI/Macro/Env.pm
+++ b/lib/WebGUI/Macro/Env.pm
@@ -25,7 +25,8 @@ Macro for displaying fields from the Session env hash.
 =head3 key
 
 The key from the Session env hash to display.  If the key doesn't exist,
-then undef will be returned.
+then the empty string will be returned.  This does not allow objects or data references
+in the env hash to be accessed.
 
 =cut
 
@@ -33,7 +34,7 @@ then undef will be returned.
 sub process {
 	my $session = shift;
     my $key     = shift;
-	return $session->request->env->{$key};
+	return $session->request->env->{$key}.'';
 }
 
 1;
diff --git a/t/Macro/Env.t b/t/Macro/Env.t
index 9542bdc5e..3c9caace0 100644
--- a/t/Macro/Env.t
+++ b/t/Macro/Env.t
@@ -14,6 +14,7 @@ use WebGUI::Test;
 use WebGUI::Session;
 use Data::Dumper;
 use WebGUI::Macro::Env;
+use Scalar::Util qw/blessed/;
 
 use Test::More; # increment this value for each test you create
 
@@ -26,22 +27,25 @@ my $session = WebGUI::Test->session;
 my %env = %{ $session->request->env };
 my @keys = keys %env;
 
-my $numTests = 3 + scalar keys %env;
-
-plan tests => $numTests;
-
 my $output;
 
 $output =  WebGUI::Macro::Env::process($session, '');
-is($output, undef, 'null key');
+is($output, '', 'null key');
 
 $output =  WebGUI::Macro::Env::process($session, undef);
-is($output, undef, 'undef key');
+is($output, '', 'undef key');
 
 $output =  WebGUI::Macro::Env::process($session, 'KEY DOES NOT EXIST');
-is($output, undef, 'non existent key');
+is($output, '', 'non existent key');
 
-foreach my $key (keys %env) {
+foreach my $key (@keys) {
 	my $output =  WebGUI::Macro::Env::process($session, $key);
 	is($output, $env{$key}, 'Fetching: '.$key);
 }
+
+##Checking for object access
+$session->request->env->{'webgui.session'} = $session;
+my $neo_session = WebGUI::Macro::Env::process($session, 'webgui.session');
+ok ! ref $neo_session, 'did not get a reference back';
+
+done_testing;