Commit 7454a74b authored by J0WI's avatar J0WI Committed by Leonardo Arena

main/perl-http-body: modernize and upgrade to 1.22

parent 8ce6a205
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=perl-http-body
pkgver=1.17
pkgver=1.22
pkgrel=0
pkgdesc="HTTP::Body perl module"
url="http://search.cpan.org/dist/HTTP-Body/"
url="https://search.cpan.org/dist/HTTP-Body/"
arch="noarch"
license="GPL-2.0 or Artistic"
depends="perl perl-http-message perl-uri"
makedepends="perl-dev perl-test-deep"
install=""
subpackages="$pkgname-doc"
source="http://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-$pkgver.tar.gz
CVE-2013-4407.patch
"
source="https://search.cpan.org/CPAN/authors/id/G/GE/GETTY/HTTP-Body-$pkgver.tar.gz"
builddir="$srcdir"/HTTP-Body-$pkgver
_builddir="$srcdir"/HTTP-Body-$pkgver
prepare() {
local i
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
build() {
PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor
make
}
build() {
cd "$_builddir"
PERL_MM_USE_DEFAULT=1 perl Makefile.PL INSTALLDIRS=vendor || return 1
make && make test || return 1
check() {
make test
}
package() {
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
make DESTDIR="$pkgdir" install
find "$pkgdir" \( -name perllocal.pod -o -name .packlist \) -delete
}
md5sums="3c14ccc3af652aa5297b9fc87d263b3b HTTP-Body-1.17.tar.gz
8e5a8675955e2bb7a23579be4df6558d CVE-2013-4407.patch"
sha256sums="131cdae4a4c8ee1b2b17c90db30c534d3f87f3a89c3133e3a0aab1f058fbe690 HTTP-Body-1.17.tar.gz
5bacbbeda2c4297188f2fdfb03ee7d00785452bb72fac8ac0e8bd5e3575c7061 CVE-2013-4407.patch"
sha512sums="978ed98929bd7a829f97a1f9adb847f2fc7cf84428c7356d19a5747dfd7679702754869cbf819882e4580aa72af037d0a40b2e5f91e18baf5497068d2f857eae HTTP-Body-1.17.tar.gz
f6a53949bdb592e9cf10771f3b38b538ac8aeacaddbb7f4f71528147ae2c16ff27a1b191210ec3df3592ad5377beaef4db988ae5eb7a003f4aea558c02995d69 CVE-2013-4407.patch"
sha512sums="62665989d76699a3c3747d8f4e23d2009488bc229220bcf6fc07fc425e6ac5118f6ea48c75af681c2f29e9ed644d7a7979368cc36df77aca0544786b523c9cfe HTTP-Body-1.22.tar.gz"
Description: Allow only word characters in filename suffixes
CVE-2013-4407: Allow only word characters in filename suffixes. An
attacker able to upload files to a service that uses
HTTP::Body::Multipart could use this issue to upload a file and create
a specifically-crafted temporary filename on the server, that when
processed without further validation, could allow execution of commands
on the server.
Origin: vendor
Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
Bug-Debian: http://bugs.debian.org/721634
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
Forwarded: no
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-10-21
--- a/lib/HTTP/Body/MultiPart.pm
+++ b/lib/HTTP/Body/MultiPart.pm
@@ -275,7 +275,7 @@
if ( $filename ne "" ) {
my $basename = (File::Spec->splitpath($filename))[2];
- my $suffix = $basename =~ /[^.]+(\.[^\\\/]+)$/ ? $1 : q{};
+ my $suffix = $basename =~ /(\.\w+(?:\.\w+)*)$/ ? $1 : q{};
my $fh = File::Temp->new( UNLINK => 0, DIR => $self->tmpdir, SUFFIX => $suffix );
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment