mirror of
https://github.com/gentoo-mirror/gentoo.git
synced 2026-01-03 13:27:28 -08:00
34 lines
1.4 KiB
Diff
34 lines
1.4 KiB
Diff
Description: Allow only word characters in filename suffixes
|
|
CVE-2013-4407: Allow only word characters in filename suffixes. An
|
|
attacker able to upload files to a service that uses
|
|
HTTP::Body::Multipart could use this issue to upload a file and create
|
|
a specifically-crafted temporary filename on the server, that when
|
|
processed without further validation, could allow execution of commands
|
|
on the server.
|
|
Origin: vendor
|
|
Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
|
|
Bug-Debian: http://bugs.debian.org/721634
|
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
|
|
Forwarded: no
|
|
Author: Salvatore Bonaccorso <carnil@debian.org>
|
|
Last-Update: 2013-10-21
|
|
|
|
Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.19
|
|
Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.23
|
|
This version has a fix for the CVE, but the stricter regexp has served
|
|
us well so far...
|
|
|
|
diff -ruN HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm
|
|
--- HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm 2024-03-30 14:27:57.000000000 +1100
|
|
+++ HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm 2024-05-02 13:07:21.794271606 +1100
|
|
@@ -255,7 +255,7 @@
|
|
|
|
=cut
|
|
|
|
-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
|
|
+our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
|
|
our $file_temp_suffix = '.upload';
|
|
our $file_temp_template;
|
|
our %file_temp_parameters;
|
|
|