Error templates allow query-based override of variables

We don't know the identity of the original reporter and neither did the party that relayed it to us. Thanks for a prompt fix.

If somebody should be credited in the advisory for this, please let me know, otherwise I'll just leave that out and can update it later.

Fixed via a new Errors setting, externalParameters, defaults to false. Suppresses injection of request into TemplateParameters field that allows the lookup. Can be turned on by people who think they really want this for now.

The actual pass-through of the request into the template layer was added in SP commit 109ccda928baa45021837cb59fd2aad960006941 and the note on it is that it was mainly for logout. I still can't think of why that would have been useful, let alone necessary, but possibly it allowed for people to trigger logout with additional parameters and then detect those in a template to do other things.

There are almost always going to be other ways to achieve that sort of thing, so I'm still inclined to just globally toggle it off.

The feature was added in 2007 in commit 6b323155d5aabd942df1fe6836cf0e507c2dfeb5. I do not have a clear indication of why. I have reviewed all the places the HTTP request is injected into the TemplateParameters object to allow this and not one of them has an obvious reason why it would be needed and it's pretty hard for me to really think of a scenario where you'd want it to.

I'm inclined to just add an internal sort of option to suppress this and toggle it on by default so that the patch would harden everything but provide a compatibility option in case somebody really needs more time to remediate something they're relying on, which would probably help motivate the feature and might lead to a better way to handle whatever it was that this was trying to achieve.