Send back HTTP code 422 when argument fails "allow"

nigelhorne · Oct 18, 2024 · bb7dd23 · bb7dd23
1 parent 6728104
commit bb7dd23
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/Changes b/Changes
@@ -1,5 +1,8 @@
 Revision history for CGI-Info
 
+0.85
+	Send back HTTP code 422 when argument fails "allow"
+
 0.84	Fri Oct 18 08:21:05 EDT 2024
 	Intercept SQL Injection
 		entry=-4346" OR 1749\=1749 AND "dgiO"\="dgiO;page=people

diff --git a/lib/CGI/Info.pm b/lib/CGI/Info.pm
@@ -740,6 +740,7 @@ sub params {
 				if($self->{logger}) {
 					$self->{logger}->info("discard $key");
 				}
+				$self->status(422);
 				next;
 			}
 
@@ -749,6 +750,7 @@ sub params {
 					if($self->{logger}) {
 						$self->{logger}->info("block $key = $value");
 					}
+					$self->status(422);
 					next;
 				}
 			}

diff --git a/t/params.t b/t/params.t
@@ -2,7 +2,7 @@
 
 use strict;
 use warnings;
-use Test::Most tests => 181;
+use Test::Most tests => 185;
 use Test::NoWarnings;
 use File::Spec;
 use lib 't/lib';
@@ -489,4 +489,26 @@ EOF
 	};
 
 	ok($@ =~ /Reset is a class method/);
+
+	$ENV{'GATEWAY_INTERFACE'} = 'CGI/1.1';
+	$ENV{'REQUEST_METHOD'} = 'GET';
+	$ENV{'QUERY_STRING'} = 'country=/etc/passwd&page=by_location';
+	delete $ENV{'CONTENT_TYPE'};
+	delete $ENV{'CONTENT_LENGTH'};
+	$i = new_ok('CGI::Info');
+
+	my $allow = {
+		'entry' => undef,
+		'country' => qr/^[A-Z\s]+$/i,	# Must start with a letter
+		'county' => qr/^[A-Z\s]+$/i,
+		'string' => undef,
+		'page' => 'by_location',
+		'lang' => qr/^[A-Z][A-Z]/i,
+	};
+
+	my %params = %{$i->params({ allow => $allow })};
+
+	cmp_ok($params{'page'}, 'eq', 'by_location', 'allow lets through legal parameters');
+	is($params{'country'}, undef, 'allow blocks illegal parameters');
+	cmp_ok($i->status(), '==', 422, 'HTTP Unprocessable Content');
 }