diff options
Diffstat (limited to 'main/perl-http-body/CVE-2013-4407.patch')
| -rw-r--r-- | main/perl-http-body/CVE-2013-4407.patch | 26 |
1 files changed, 0 insertions, 26 deletions
diff --git a/main/perl-http-body/CVE-2013-4407.patch b/main/perl-http-body/CVE-2013-4407.patch deleted file mode 100644 index 5071bac31a..0000000000 --- a/main/perl-http-body/CVE-2013-4407.patch +++ /dev/null @@ -1,26 +0,0 @@ -Description: Allow only word characters in filename suffixes - CVE-2013-4407: Allow only word characters in filename suffixes. An - attacker able to upload files to a service that uses - HTTP::Body::Multipart could use this issue to upload a file and create - a specifically-crafted temporary filename on the server, that when - processed without further validation, could allow execution of commands - on the server. -Origin: vendor -Bug: https://rt.cpan.org/Ticket/Display.html?id=88342 -Bug-Debian: http://bugs.debian.org/721634 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669 -Forwarded: no -Author: Salvatore Bonaccorso <carnil@debian.org> -Last-Update: 2013-10-21 - ---- a/lib/HTTP/Body/MultiPart.pm -+++ b/lib/HTTP/Body/MultiPart.pm -@@ -275,7 +275,7 @@ - - if ( $filename ne "" ) { - my $basename = (File::Spec->splitpath($filename))[2]; -- my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{}; -+ my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{}; - - my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix ); - |