Overview

File CVE-2013-4407.patch of Package perl-HTTP-Body

Description: Allow only word characters in filename suffixes
 CVE-2013-4407: Allow only word characters in filename suffixes. An
 attacker able to upload files to a service that uses
 HTTP::Body::Multipart could use this issue to upload a file and create
 a specifically-crafted temporary filename on the server, that when
 processed without further validation, could allow execution of commands
 on the server.
Solution was already mention in code, but not used.

Index: lib/HTTP/Body/MultiPart.pm
===================================================================
--- lib/HTTP/Body/MultiPart.pm.orig
+++ lib/HTTP/Body/MultiPart.pm
@@ -258,8 +258,8 @@ sub parse_body {
 
 =cut
 
-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
-#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
+#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
+our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
 
 sub handler {
     my ( $self, $part ) = @_;
openSUSE Build Service is sponsored by
Places