Comment 10 for bug 1189989

From the patch:

+ my $thaw_date;
+ if ($cgi->param('hold_suspend') && $cgi->param('thaw_date') =~ m:^(\d{2})/(\d{2})/(\d{4})$:){
+ $thaw_date = "$3-$1-$2";
+ }

Noting that this is not a great way of parsing dates; it can't be localized, for one thing. I also note that there's at least one other place in Account.pm that does that, but at least it's marked with a TODO.

+ frozen => $cgi->param('hold_suspend'),

Of more import, this construct is problematic: because $cgi->param() is evaluated in list context, an attacker could add multiple instance instances of the hold_suspend URL parameter to inject unwanted keys and values into the parameter hash.