From a3d9e7291aff6636f3a9c7279d1132a75ab193b8 Mon Sep 17 00:00:00 2001
From: Kentaro Hayashi <kenhys@xdump.org>
Date: Wed, 14 Jul 2021 13:46:02 +0100
Subject: [PATCH] Fix CGI::param error in collection3

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294
Forwarded: https://salsa.debian.org/debian/pkg-collectd/-/merge_requests/6

When using collection3 as a CGI, the following error is sent to logs repeatedly.
This MR fixes it:

  FastCGI sent in stderr: "CGI::param called in list context from /usr/share/doc/collectd-core/examples/collection3/lib/Collectd/Graph/Common.pm line 529, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412"

This is caused by inappropriate usage of param(),
it should be handled as a scalar or should be treated by multi_param() explicitly.

Closes: #982294

ref. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982294


Gbp-Pq: Name cgi-param-in-list-context.patch
---
 contrib/collection3/lib/Collectd/Graph/Common.pm | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/contrib/collection3/lib/Collectd/Graph/Common.pm b/contrib/collection3/lib/Collectd/Graph/Common.pm
index 31c530f..6193db6 100644
--- a/contrib/collection3/lib/Collectd/Graph/Common.pm
+++ b/contrib/collection3/lib/Collectd/Graph/Common.pm
@@ -526,7 +526,7 @@ sub get_selected_files
   for (qw(hostname plugin plugin_instance type type_instance))
   {
     my $part = $_;
-    my @temp = param ($part);
+    my @temp = multi_param ($part);
     if (!@temp)
     {
       next;
@@ -547,9 +547,9 @@ sub get_selected_files
 sub get_timespan_selection
 {
   my $ret = 86400;
-  if (param ('timespan'))
+  if (scalar param ('timespan'))
   {
-    my $temp = int (param ('timespan'));
+    my $temp = int (scalar param ('timespan'));
     if ($temp && ($temp > 0))
     {
       $ret = $temp;
@@ -568,7 +568,7 @@ sub get_host_selection
     $ret{$_} = 0;
   }
 
-  for (param ('hostname'))
+  for (multi_param ('hostname'))
   {
     my $host = _sanitize_generic_allow_minus ($_);
     if (defined ($ret{$host}))
@@ -597,7 +597,7 @@ sub get_plugin_selection
     $ret{$_} = 0;
   }
 
-  for (param ('plugin'))
+  for (multi_param ('plugin'))
   {
     if (defined ($ret{$_}))
     {
-- 
2.30.2