From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Request to merge: new-updxlrtr-v3.0: Enabling GET-Params for %xlrtrsettings Date: Fri, 26 Apr 2013 12:35:41 +0200 Message-ID: <1366972541.32654.154.camel@rice-oxley.tremer.info> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1758189484544563601==" List-Id: --===============1758189484544563601== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit On Thu, 2013-04-25 at 13:55 +0200, Jörn-Ingo Weigert wrote: > I'm not really happy about re-implementing basic Features of HTML via > JS, > just cause of a limited processing (and thats what this return if... > is) No, it is a lot easier to make this kind of attack - without JS. All the JS interpreters in modern browsers have a restriction that they cannot send requests across different domains. That does not count for image URL, etc. For example the following code would indeed work: You cannot send POST requests that easy. > Sure, if there is a better solution to only on GET and POST methods it > would be great to implement My proposal would be to create a new function which only reads the query string and returns a hash array with all the attributes that you want to have. All the rest is ignored. For example: # URL: https://192.168.1.1:444/cgi-bin/some.cgi?param1=123 my @values = ("param1"); my %hash = getquerystring(@values); print $hash{'param1'}; > 123 This leaves getcgihash untouched, so we don't create new problems here. -Michael --===============1758189484544563601==--