oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make sure that the Env macro cannot be used to access objects or data references.

Browse source
This commit is contained in:
Colin Kuskie 2012-02-11 14:15:53 -08:00
parent c76f12d278
commit 2f15d87377
3 changed files with 16 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog/8.x.x.txt
View file

@ -5,4 +5,5 @@
- Added "hot sessions" so sessions interact with the database less. - Added "hot sessions" so sessions interact with the database less.
- Added Facebook Auth and FacebookLogin macro. - Added Facebook Auth and FacebookLogin macro.
- Removed the WebGUI statistics program and code. - Removed the WebGUI statistics program and code.
- Prevent Env Macro from being used to access objects in the environment - Thanks to Haarg

5
lib/WebGUI/Macro/Env.pm
View file

@ -25,7 +25,8 @@ Macro for displaying fields from the Session env hash.
=head3 key =head3 key
The key from the Session env hash to display. If the key doesn't exist, The key from the Session env hash to display. If the key doesn't exist,
then undef will be returned. then the empty string will be returned. This does not allow objects or data references
in the env hash to be accessed.
=cut =cut
@ -33,7 +34,7 @@ then undef will be returned.
sub process { sub process {
my $session = shift; my $session = shift;
my $key = shift; my $key = shift;
return $session->request->env->{$key}; return $session->request->env->{$key}.'';
} }
1; 1;

20
t/Macro/Env.t
View file

@ -14,6 +14,7 @@ use WebGUI::Test;
use WebGUI::Session; use WebGUI::Session;
use Data::Dumper; use Data::Dumper;
use WebGUI::Macro::Env; use WebGUI::Macro::Env;
use Scalar::Util qw/blessed/;
use Test::More; # increment this value for each test you create use Test::More; # increment this value for each test you create
@ -26,22 +27,25 @@ my $session = WebGUI::Test->session;
my %env = %{ $session->request->env }; my %env = %{ $session->request->env };
my @keys = keys %env; my @keys = keys %env;
my $numTests = 3 + scalar keys %env;
plan tests => $numTests;
my $output; my $output;
$output = WebGUI::Macro::Env::process($session, ''); $output = WebGUI::Macro::Env::process($session, '');
is($output, undef, 'null key'); is($output, '', 'null key');
$output = WebGUI::Macro::Env::process($session, undef); $output = WebGUI::Macro::Env::process($session, undef);
is($output, undef, 'undef key'); is($output, '', 'undef key');
$output = WebGUI::Macro::Env::process($session, 'KEY DOES NOT EXIST'); $output = WebGUI::Macro::Env::process($session, 'KEY DOES NOT EXIST');
is($output, undef, 'non existent key'); is($output, '', 'non existent key');
foreach my $key (keys %env) { foreach my $key (@keys) {
my $output = WebGUI::Macro::Env::process($session, $key); my $output = WebGUI::Macro::Env::process($session, $key);
is($output, $env{$key}, 'Fetching: '.$key); is($output, $env{$key}, 'Fetching: '.$key);
} }
##Checking for object access
$session->request->env->{'webgui.session'} = $session;
my $neo_session = WebGUI::Macro::Env::process($session, 'webgui.session');
ok ! ref $neo_session, 'did not get a reference back';
done_testing;