Bug#516621: libwww-perl path disclosure

Lux In Tenebris lux.in.tenebris at gmail.com
Sun Feb 22 19:38:31 UTC 2009 

2009/2/22 Ansgar Burchardt <ansgar at 2008.43-1.org>:
> Hi,
>
> I cannot reproduce your problem here.  Only the filename (without path) is
> send here:
>
>    % perl -MHTTP::Request::Common -e "print POST('http://127.0.0.1', content_type => 'multipart/form-data', content => [ filecontent => ['/dev/null'] ])->as_string"
>    POST http://127.0.0.1
>    Content-Length: 119
>    Content-Type: multipart/form-data; boundary=xYzZY
>
>    --xYzZY
>    Content-Disposition: form-data; name="filecontent"; filename="null"
>    Content-Type: text/plain
>
>
>    --xYzZY--
>
> and with LWP::UserAgent as well:
>
>    % nc -l -p 8000 &
>    % perl -MLWP::UserAgent -MHTTP::Request::Common -e 'LWP::UserAgent->new->request( POST("http://127.0.0.1:8000/", content_type => "multipart/form-data", content => [filecontent => ["/dev/null"]] ) )'
>    POST / HTTP/1.1
>    TE: deflate,gzip;q=0.3
>    Connection: TE, close
>    Host: 127.0.0.1:8000
>    User-Agent: libwww-perl/5.820
>    Content-Length: 119
>    Content-Type: multipart/form-data; boundary=xYzZY
>
>    --xYzZY
>    Content-Disposition: form-data; name="filecontent"; filename="null"
>    Content-Type: text/plain
>
>
>    --xYzZY--
>
> What do these output on your computer?  Is the path still included?
>
> Regards,
> Ansgar
>
> -- System Information:
> Debian Release: 5.0
>  APT prefers testing
>  APT policy: (900, 'testing'), (600, 'unstable'), (1, 'experimental')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
> Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libwww-perl depends on:
> ii  libhtml-parser-perl          3.60-1      collection of modules that parse H
> ii  libhtml-tagset-perl          3.20-2      Data tables pertaining to HTML
> ii  libhtml-tree-perl            3.23-1      represent and create HTML syntax t
> ii  liburi-perl                  1.37+dfsg-1 Manipulates and accesses URI strin
> ii  netbase                      4.34        Basic TCP/IP networking system
> ii  perl [libdigest-md5-perl]    5.10.0-19   Larry Wall's Practical Extraction
>
> Versions of packages libwww-perl recommends:
> ii  libcompress-zlib-perl         2.015-1    Perl module for creation and manip
> pn  libhtml-format-perl           <none>     (no description available)
> ii  libmailtools-perl             2.04-1     Manipulate email in perl programs
>
> Versions of packages libwww-perl suggests:
> ii  libio-socket-ssl-perl         1.22-1     Perl module implementing object or
>
> -- no debconf information
>

It seems everything is fine actually. I've experimented with constructions like
POST(..., 'content_type' => 'multipart/form-data', 'content' =>
['filecontent' => [undef, $ARGV[0], content => $file_contents]]);
and naively expected that it will dissect full filenames in this case
automatically. ;-)

More information about the pkg-perl-maintainers mailing list