diff options
Diffstat (limited to 'dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch')
-rw-r--r-- | dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch b/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch deleted file mode 100644 index 292cac3aa6f4..000000000000 --- a/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch +++ /dev/null @@ -1,31 +0,0 @@ -Description: Allow only word characters in filename suffixes - CVE-2013-4407: Allow only word characters in filename suffixes. An - attacker able to upload files to a service that uses - HTTP::Body::Multipart could use this issue to upload a file and create - a specifically-crafted temporary filename on the server, that when - processed without further validation, could allow execution of commands - on the server. -Origin: vendor -Bug: https://rt.cpan.org/Ticket/Display.html?id=88342 -Bug-Debian: http://bugs.debian.org/721634 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669 -Forwarded: no -Author: Salvatore Bonaccorso <carnil@debian.org> -Last-Update: 2013-10-21 - -Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.19 - -diff -ruN HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm ---- HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm 2013-12-06 16:07:25.000000000 +0100 -+++ HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm 2014-11-30 23:17:19.652051615 +0100 -@@ -258,8 +258,8 @@ - - =cut - --our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; --#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; -+#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; -+our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; - - sub handler { - my ( $self, $part ) = @_; |