Verify SQL injection attempts generate HTTP response 403

nigelhorne · Oct 18, 2024 · 6728104 · 6728104
1 parent 17d1949
commit 6728104
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/lib/CGI/Info.pm b/lib/CGI/Info.pm
@@ -43,6 +43,10 @@ CGI::Info attempts to remove that.
 Furthermore, to aid script debugging, CGI::Info attempts to do sensible
 things when you're not running the program in a CGI environment.
 
+CGI::Info also provides a simple web application firewall.
+Whilst you shouldn't rely on it alone to provide security to your website,
+it is another layer and every little helps.
+
     use CGI::Info;
     my $info = CGI::Info->new();
     # ...

diff --git a/t/params.t b/t/params.t
@@ -2,7 +2,7 @@
 
 use strict;
 use warnings;
-use Test::Most tests => 179;
+use Test::Most tests => 181;
 use Test::NoWarnings;
 use File::Spec;
 use lib 't/lib';
@@ -96,13 +96,15 @@ PARAMS: {
 	$i = new_ok('CGI::Info');
 	ok(!defined($i->params()));
 	ok($i->as_string() eq '');
+	cmp_ok($i->status(), '==', 403, 'SQL Injection generates 403 code');
 
 	# Seen in vwf.log
 	$ENV{'QUERY_STRING'} = 'entry=-4346" OR 1749\=1749 AND "dgiO"\="dgiO;page=people';
 	$i = new_ok('CGI::Info');
 	ok(!defined($i->params()));
 	ok(!defined($i->entry()));
 	ok($i->as_string() eq '');
+	cmp_ok($i->status(), '==', 403, 'SQL Injection generates 403 code');
 
 	$ENV{'QUERY_STRING'} = '<script>alert(123)</script>=wilma';
 	$i = new_ok('CGI::Info');