Control: tags -1 + patch Hi
I'm proposing the attached patch, but I want to hear back first from upstream to not diverge to much from there. Regards, Salvatore
Description: Allow only word characters in filename suffixes CVE-2013-4407: Allow only word characters in filename suffixes. An attacker able to upload files to a service that uses HTTP::Body::Multipart could use this issue to upload a file and create a specifically-crafted temporary filename on the server, that when processed without further validation, could allow execution of commands on the server. Origin: vendor Bug: https://rt.cpan.org/Ticket/Display.html?id=88342 Bug-Debian: http://bugs.debian.org/721634 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669 Forwarded: no Author: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2013-10-21 --- a/lib/HTTP/Body/MultiPart.pm +++ b/lib/HTTP/Body/MultiPart.pm @@ -275,7 +275,7 @@ if ( $filename ne "" ) { my $basename = (File::Spec->splitpath($filename))[2]; - my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{}; + my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{}; my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix );
