Bug#516621: libwww-perl path disclosure

Ansgar Burchardt ansgar at 2008.43-1.org
Sun Feb 22 18:56:45 UTC 2009 

Hi,

I cannot reproduce your problem here.  Only the filename (without path) is
send here:

    % perl -MHTTP::Request::Common -e "print POST('http://127.0.0.1', content_type => 'multipart/form-data', content => [ filecontent => ['/dev/null'] ])->as_string"
    POST http://127.0.0.1
    Content-Length: 119
    Content-Type: multipart/form-data; boundary=xYzZY

    --xYzZY
    Content-Disposition: form-data; name="filecontent"; filename="null"
    Content-Type: text/plain


    --xYzZY--

and with LWP::UserAgent as well:

    % nc -l -p 8000 &
    % perl -MLWP::UserAgent -MHTTP::Request::Common -e 'LWP::UserAgent->new->request( POST("http://127.0.0.1:8000/", content_type => "multipart/form-data", content => [filecontent => ["/dev/null"]] ) )'
    POST / HTTP/1.1
    TE: deflate,gzip;q=0.3
    Connection: TE, close
    Host: 127.0.0.1:8000
    User-Agent: libwww-perl/5.820
    Content-Length: 119
    Content-Type: multipart/form-data; boundary=xYzZY

    --xYzZY
    Content-Disposition: form-data; name="filecontent"; filename="null"
    Content-Type: text/plain


    --xYzZY--

What do these output on your computer?  Is the path still included?

Regards,
Ansgar

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libwww-perl depends on:
ii  libhtml-parser-perl          3.60-1      collection of modules that parse H
ii  libhtml-tagset-perl          3.20-2      Data tables pertaining to HTML
ii  libhtml-tree-perl            3.23-1      represent and create HTML syntax t
ii  liburi-perl                  1.37+dfsg-1 Manipulates and accesses URI strin
ii  netbase                      4.34        Basic TCP/IP networking system
ii  perl [libdigest-md5-perl]    5.10.0-19   Larry Wall's Practical Extraction 

Versions of packages libwww-perl recommends:
ii  libcompress-zlib-perl         2.015-1    Perl module for creation and manip
pn  libhtml-format-perl           <none>     (no description available)
ii  libmailtools-perl             2.04-1     Manipulate email in perl programs

Versions of packages libwww-perl suggests:
ii  libio-socket-ssl-perl         1.22-1     Perl module implementing object or

-- no debconf information

More information about the pkg-perl-maintainers mailing list