From 1798c4aeca70ac8d0a243684d6a798fbc65735f8 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 14 Jul 2018 20:57:42 +0100 Subject: gentoo resync : 14.07.2018 --- .../files/HTTP-Body-1.190.0-CVE-2013-4407.patch | 31 ---------------------- 1 file changed, 31 deletions(-) delete mode 100644 dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch (limited to 'dev-perl/HTTP-Body/files') diff --git a/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch b/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch deleted file mode 100644 index 292cac3aa6f4..000000000000 --- a/dev-perl/HTTP-Body/files/HTTP-Body-1.190.0-CVE-2013-4407.patch +++ /dev/null @@ -1,31 +0,0 @@ -Description: Allow only word characters in filename suffixes - CVE-2013-4407: Allow only word characters in filename suffixes. An - attacker able to upload files to a service that uses - HTTP::Body::Multipart could use this issue to upload a file and create - a specifically-crafted temporary filename on the server, that when - processed without further validation, could allow execution of commands - on the server. -Origin: vendor -Bug: https://rt.cpan.org/Ticket/Display.html?id=88342 -Bug-Debian: http://bugs.debian.org/721634 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669 -Forwarded: no -Author: Salvatore Bonaccorso -Last-Update: 2013-10-21 - -Updated by Andreas K. Huettel for HTTP-Body-1.19 - -diff -ruN HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm ---- HTTP-Body-1.19.orig/lib/HTTP/Body/MultiPart.pm 2013-12-06 16:07:25.000000000 +0100 -+++ HTTP-Body-1.19/lib/HTTP/Body/MultiPart.pm 2014-11-30 23:17:19.652051615 +0100 -@@ -258,8 +258,8 @@ - - =cut - --our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; --#our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; -+#our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; -+our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; - - sub handler { - my ( $self, $part ) = @_; -- cgit v1.2.3