Bugzilla mis-using CGI.pm is not a bug

Gervase Markham writes about a New Class of Vulnerability that shows the unbridled ego that leads to someone blaming the language and ignoring their own lack of competence.

He writes about a new class vulnerability for what he labels a bug. It’s neither new nor a bug. Miyagawa wrote about this in 2009 in Perl: Why parameters() sucks and what we can do, and that’s still not the origin of it. I know about in the 90s when I was making these mistakes. If you think you’ve found something new, you’re probably wrong. Don’t get too excited too soon.

Gervase is writing about the param method from CGI.pm. In particular, in list context it returns a list of all the form fields with that name:

my @params = $cgi->param( $field );

If there are no form fields with that name, it returns the empty list. That means when Bugzilla used it in list context to create a hash, it was courting disaster by not properly checking its return value:

my $otheruser = Bugzilla::User->create({
    login_name => $login_name, 
    realname   => $cgi->param('realname'), 
    cryptpassword => $password});

If there’s no realname, param returns an empty list and cryptpassword becomes the value for realname.

This is a problem with the competence of the Bugzilla developers. Hey, it happens. But, it’s how you react when you mess up that matters. Blaming the language is the wrong move. It’s not even a language issue. It’s a misuse of a designed and documented API.

But, that’s not the real problem here. The syntax and API misuse is the problem. The Bugzilla developers are taking unfiltered and invalidated input directly from the user and doing things with it. Even if the param method did what they expected, they are still wrong.

This sensationalist posts then make the rounds of the internet, amplified by people who never bothered to learn the tool. It fits their uninformed mental models of the world. Other ignorant people are quick to jump onto that bandwagon because they mirror the behavior of the group they want to belong to. And, most everyone ends up worse for it.

If you mess up, take the blame for it and move on. It makes life so much easier.

