calculate
/
gentoo-overlay
7
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '07cdf2be42'
${ noResults }
gentoo-overlay/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-...

32 lines
1.3 KiB
Raw Blame History

Description: Allow only word characters in filename suffixes
CVE-2013-4407: Allow only word characters in filename suffixes. An
attacker able to upload files to a service that uses
HTTP::Body::Multipart could use this issue to upload a file and create
a specifically-crafted temporary filename on the server, that when
processed without further validation, could allow execution of commands
on the server.
Origin: vendor
Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
Bug-Debian: http://bugs.debian.org/721634
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
Forwarded: no
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-10-21
Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.19
diff -ruN HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm
--- HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm 2013-12-06 16:07:25.000000000 +0100
+++ HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm 2014-11-30 23:17:19.652051615 +0100
@@ -258,8 +258,8 @@
=cut
-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
-#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
+#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
+our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
sub handler {
my ( $self, $part ) = @_;
Reference in new issue View Git Blame Copy Permalink