Skip Menu |
 

This queue is for tickets about the MIME-tools CPAN distribution.

Report information
The Basics
Id: 22680
Status: resolved
Priority: 0/
Queue: MIME-tools

People
Owner: Nobody in particular
Requestors: at [...] altlinux.ru
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: [PATCH] MIME/Body.pm (open): protection against malicious filenames
Date: Sat, 28 Oct 2006 14:20:22 +0400
To: bug-mime-tools [...] rt.cpan.org
From: Alexey Tourbin <at [...] altlinux.ru>
Download (untitled) / with headers
text/plain 1.1k
This makes MIME::Body work with malicious filenames, e.g. filenames with leading and trailing whitespaces. The following now works: perl -MMIME::Body -le 'print MIME::Body::File->new(" bad file ")->open("r")' This also prevents special open metacharacters from being interpreted. See perlopentut for details. --- lib/MIME/Body.pm | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/MIME/Body.pm b/lib/MIME/Body.pm index 8b9117a..02f25bb 100644 --- a/lib/MIME/Body.pm +++ b/lib/MIME/Body.pm @@ -428,11 +428,15 @@ sub open { my ($self, $mode) = @_; my $IO; my $path = $self->path; + if ($path =~ /^\s+/) { + require File::Spec; + $path = File::Spec->catfile(File::Spec->curdir, $path); + } if ($mode eq 'w') { ### writing - $IO = FileHandle->new(">$path") || die "write-open $path: $!"; + $IO = FileHandle->new("> $path\0") || die "write-open $path: $!"; } elsif ($mode eq 'r') { ### reading - $IO = FileHandle->new("<$path") || die "read-open $path: $!"; + $IO = FileHandle->new("< $path\0") || die "read-open $path: $!"; } else { die "bad mode: '$mode'"; -- 1.4.3.GIT
Download (untitled) / with headers
text/plain 164b
This should be a non-issue now that we're using the two-arg version of open in MIME::Body::File. I've added a test to t/Body.t to ensure that this doesn't regress.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.