Bug#721634: libhttp-body-perl: HTTP::Body::Multipart critical security bug

[Jonathan Dolle]

Package: libhttp-body-perl
Version: 1.11-1
Severity: normal

Dear Maintainer,

Hello,

We discovered a critical bug in HTTP::Body::Multipart >= 1.08.

It concerns this point (see changelog) : 
	"Temp files now preserve the suffix of the uploaded file"

The following line in HTTP::Body::Multipart is not good:
my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};


It is too much permissive.
For example, with the following file name :
"2013-06-19 at 11.37.56 PM.png"

We can obtain this temp file :
"/tmp/k6gvivOIYK.37.56 PM.png"

It take everithing after the first dot, even spaces !

Previously, the tempname was always alphanumeric. No special chars. So we could use it directly in commands like:
my $info = `identify -format "%m" $filename 2>&1`;

With a space, the command become invalid. Worse : we can easily do 'injections'.
For example with a filename like:
"file. || rm -rf ~ || .png"

I recommand the following regexp:
my $suffix = $basename =~ /[^.]+(\.[\w]+)$/ ? $1 : q{};

Or, for extension like '.tar.gz':
my $suffix = $basename =~ /[^.]+(\.[\w\.]+)$/ ? $1 : q{};
Or better:
my $suffix = $basename =~ /[^.]+((?:\.[\w+])+)$/ ? $1 : q{};


Best regards,
Jonathan Dolle


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libhttp-body-perl depends on:
ii  libpath-class-perl  0.25-1
ii  libwww-perl         6.04-1
ii  libyaml-perl        0.81-1
ii  perl                5.14.2-9

libhttp-body-perl recommends no packages.

libhttp-body-perl suggests no packages.

-- no debconf information