Description: Allow only word characters in filename suffixes CVE-2013-4407: Allow only word characters in filename suffixes. An attacker able to upload files to a service that uses HTTP::Body::Multipart could use this issue to upload a file and create a specifically-crafted temporary filename on the server, that when processed without further validation, could allow execution of commands on the server. Origin: vendor Bug: https://rt.cpan.org/Ticket/Display.html?id=88342 Bug-Debian: http://bugs.debian.org/721634 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669 Forwarded: no Author: Salvatore Bonaccorso Last-Update: 2013-10-21 Updated by Andreas K. Huettel for HTTP-Body-1.19 Updated by Andreas K. Huettel for HTTP-Body-1.23 This version has a fix for the CVE, but the stricter regexp has served us well so far... diff -ruN HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm --- HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm 2024-03-30 14:27:57.000000000 +1100 +++ HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm 2024-05-02 13:07:21.794271606 +1100 @@ -255,7 +255,7 @@ =cut -our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/; +our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/; our $file_temp_suffix = '.upload'; our $file_temp_template; our %file_temp_parameters;