From 17f05209915cfca26d650028378cbeb59e81e86d Mon Sep 17 00:00:00 2001
From: Denix <denics@free.fr>
Date: Sat, 25 Jul 2015 20:00:57 +0200
Subject: [PATCH] moved CGI::param to CGI::multi_param

Calling param() in list context can lead to vulnerabilities if you do not sanitise user input as it is possible to inject other param keys and values into your code. This is why the multi_param() method exists, to make it clear that a list is being returned, note that param() can still be called in list context and will return a list for back compatibility. Source: http://search.cpan.org/~leejo/CGI-4.21/lib/CGI.pod#Fetching_the_value_or_values_of_a_single_named_parameter
---
 perl_lib/EPrints/Repository.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/perl_lib/EPrints/Repository.pm b/perl_lib/EPrints/Repository.pm
index 2e003481..c06528e4 100644
--- a/perl_lib/EPrints/Repository.pm
+++ b/perl_lib/EPrints/Repository.pm
@@ -394,7 +394,7 @@ sub param
 
         if( defined $name )
         {
-                @result = $self->{query}->param( $name );
+                @result = $self->{query}->multi_param( $name );
         }
         else
         {