Bug#721634: libhttp-body-perl: HTTP::Body::Multipart critical security bug
Jonathan Dolle
jonathan.dolle at groupsquad.com
Mon Sep 2 15:47:57 UTC 2013
Package: libhttp-body-perl
Version: 1.11-1
Severity: normal
Dear Maintainer,
Hello,
We discovered a critical bug in HTTP::Body::Multipart >= 1.08.
It concerns this point (see changelog) :
"Temp files now preserve the suffix of the uploaded file"
The following line in HTTP::Body::Multipart is not good:
my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
It is too much permissive.
For example, with the following file name :
"2013-06-19 at 11.37.56 PM.png"
We can obtain this temp file :
"/tmp/k6gvivOIYK.37.56 PM.png"
It take everithing after the first dot, even spaces !
Previously, the tempname was always alphanumeric. No special chars. So we could use it directly in commands like:
my $info = `identify -format "%m" $filename 2>&1`;
With a space, the command become invalid. Worse : we can easily do 'injections'.
For example with a filename like:
"file. || rm -rf ~ || .png"
I recommand the following regexp:
my $suffix = $basename =~ /[^.]+(\.[\w]+)$/ ? $1 : q{};
Or, for extension like '.tar.gz':
my $suffix = $basename =~ /[^.]+(\.[\w\.]+)$/ ? $1 : q{};
Or better:
my $suffix = $basename =~ /[^.]+((?:\.[\w+])+)$/ ? $1 : q{};
Best regards,
Jonathan Dolle
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libhttp-body-perl depends on:
ii libpath-class-perl 0.25-1
ii libwww-perl 6.04-1
ii libyaml-perl 0.81-1
ii perl 5.14.2-9
libhttp-body-perl recommends no packages.
libhttp-body-perl suggests no packages.
-- no debconf information
More information about the pkg-perl-maintainers
mailing list