Merge branch 'master' into sipb Conflicts: po/Makefile templates/page.tmpl
IkiWiki::Plugin::openid: as a precaution, do not call non-coderefs We're running under "use strict" here, so if CGI->param's array-context misbehaviour passes an extra non-ref parameter, it shouldn't be executed anyway... but it's as well to be safe. [commit message added by smcv]
Call CGI->param_fetch instead of CGI->param in array context CGI->param has the misfeature that it is context-sensitive, and in particular can expand to more than one scalar in function calls. This led to a security vulnerability in Bugzilla, and recent versions of CGI.pm will warn when it is used in this way. In the situations where we do want to cope with more than one parameter of the same name, CGI->param_fetch (which always returns an array-reference) makes the intention clearer. [commit message added by smcv]
Make sure we do not pass multiple CGI parameters in function calls When CGI->param is called in list context, such as in function parameters, it expands to all the potentially multiple values of the parameter: for instance, if we parse query string a=b&a=c&d=e and call func($cgi->param('a')), that's equivalent to func('b', 'c'). Most of the functions we're calling do not expect that. I do not believe this is an exploitable security vulnerability in ikiwiki, but it was exploitable in Bugzilla.