HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407

[Stig Palmquist <stig () stig io>]

HTTP::Body after 1.07 and before 1.23 for Perl handles multipart file uploads as
temporary files while retaining file extensions. An attacker can provide crafted
filenames containing for example shell metacharacters, affecting programs that
expect these temporary filenames to be well formed.

Version 1.23 of HTTP::Body has been fixed upstream to set a static ".upload"
extension, overriding user provided extensions by default.

Users are recommended to update to version 1.23 or later.


NOTE: Currently, the CVE description incorrectly indicate that this was fixed
in versions after 1.17.

Version 1.18 provided:
- A global variable to set the regex used to validate extensions
- A code comment containing a stricter regex
- No change to the default behavior

Debian and other distributions are carrying a patch for CVE-2013-4407 including
the stricter regex for versions before 1.23.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4407
https://metacpan.org/release/GETTY/HTTP-Body-1.23/view/lib/HTTP/Body.pm#NOTES
https://metacpan.org/release/GETTY/HTTP-Body-1.18/source/lib/HTTP/Body/MultiPart.pm#L262
https://salsa.debian.org/perl-team/modules/packages/libhttp-body-perl/-/blob/8645c1b4b6a39f6d82b7a05869d567ae4e8f0e24/debian/patches/CVE-2013-4407.patch