Bug#516621: libwww-perl path disclosure

Lux In Tenebris lux.in.tenebris at gmail.com
Sun Feb 22 17:29:44 UTC 2009 

Package: libwww-perl
Version: 5.820-1

HTTP::Request::Common module (as I suppose) discloses *full path* to
the uploadable file included in POST request with multipart/form-data
content type.

My Perl script fragment:
===
my $ua = LWP::UserAgent->new;
my $http_request =
POST('http://rs303l3.rapidshare.com/cgi-bin/upload.cgi',
'content_type' => 'multipart/form-data', 'content' => ['filecontent'
=> [$ARGV[0]]]);
my $response = $ua->request($http_request);
===

Here is some TShark sniffer output:
===
Hypertext Transfer Protocol
    POST /cgi-bin/upload.cgi?rsuploadid=153466420479956668 HTTP/1.1\r\n
        Request Method: POST
        Request URI: /cgi-bin/upload.cgi?rsuploadid=153466420479956668
        Request Version: HTTP/1.1
    TE: deflate,gzip;q=0.3\r\n
    Connection: TE, close\r\n
    Host: rs116l3.rapidshare.com\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n
    Content-Length: 109
    Content-Type: multipart/form-data; boundary=xYzZY\r\n
    \r\n
MIME Multipart Media Encapsulation, Type: multipart/form-data, Boundary: "xYzZY"
    [Type: multipart/form-data]
    First boundary: --xYzZY\r\n
    Encapsulated multipart part:
        Content-Disposition: form-data; name="filecontent";
filename="/home/eno/scantailor"\r\n\r\n
    Last boundary: \r\n--xYzZY--\r\n
===

For example, making the same POST request with CURL doesn't do this:

curl -F filecontent=@/home/eno/scantailor
http://rs303l3.rapidshare.com/cgi-bin/upload.cgi
===
Hypertext Transfer Protocol
    POST /cgi-bin/upload.cgi HTTP/1.1\r\n
        Request Method: POST
        Request URI: /cgi-bin/upload.cgi
        Request Version: HTTP/1.1
    User-Agent: curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2
OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.10 libssh2/0.18\r\n
    Host: rs303l3.rapidshare.com\r\n
    Accept: */*\r\n
    Content-Length: 1058021
    Expect: 100-continue\r\n
    Content-Type: multipart/form-data;
boundary=----------------------------088d2195fe9c\r\n
    \r\n
...
0000  2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d   ----------------
0010  2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 38   --------------08
0020  38 64 32 31 39 35 66 65 39 63 0d 0a 43 6f 6e 74   8d2195fe9c..Cont
0030  65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a   ent-Disposition:
0040  20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65    form-data; name
0050  3d 22 66 69 6c 65 63 6f 6e 74 65 6e 74 22 3b 20   ="filecontent";
0060  66 69 6c 65 6e 61 6d 65 3d 22 73 63 61 6e 74 61   filename="scanta
0070  69 6c 6f 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54   ilor"..Content-T
0080  79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e   ype: application
0090  2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d   /octet-stream...
00a0  0a
===

More information about the pkg-perl-maintainers mailing list