Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:13.2:Update
perl-HTTP-Body
CVE-2013-4407.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2013-4407.patch of Package perl-HTTP-Body
Description: Allow only word characters in filename suffixes CVE-2013-4407: Allow only word characters in filename suffixes. An attacker able to upload files to a service that uses HTTP::Body::Multipart could use this issue to upload a file and create a specifically-crafted temporary filename on the server, that when processed without further validation, could allow execution of commands on the server. Solution was already mention in code, but not used. Index: lib/HTTP/Body/MultiPart.pm =================================================================== --- lib/HTTP/Body/MultiPart.pm.orig +++ lib/HTTP/Body/MultiPart.pm @@ -258,8 +258,8 @@ sub parse_body { =cut -our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; -#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; +#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; +our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; sub handler { my ( $self, $part ) = @_;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor