Bug #17848 for CGI: broken uploads because of incorerct Content-Disposition value parsing

[we have already reported this bug via email to Lincoln D. Stein on 07 Jan 2006 but got no reply] there is a nasty bug in CGI.pm resulting in inability to receive the uploaded file. one of our CGI scripts accepts file uploads, and for some users it was producing strange results: from the CGI script it looked as if the file name was containing what was supposed to be the file content, and the file content was absent. it appeared to be due to the bug in CGI.pm which is fixed by the attached patch. i.e. the regular expression was expecting that the filename between the quotes should not contain a semicolon, while some of the files were containing a semicolon, e.g. a raw form submission contained this: ... -----------------------------14042802788933518161505795335 Content-Disposition: form-data; name="file"; filename="12 Källarback Variations.mp3" Content-Type: audio/mpeg ... -----------------------------14042802788933518161505795335 ... Please fix this in the mainstream version of CGI.pm

--- /usr/local/lib/perl5/5.8.7/CGI.pm.orig Fri Jan 6 22:16:55 2006 +++ /usr/local/lib/perl5/5.8.7/CGI.pm Fri Jan 6 22:19:04 2006 @@ -3251,11 +3251,11 @@ return; } - my($param)= $header{'Content-Disposition'}=~/ name="([^;]*)"/; + my($param)= $header{'Content-Disposition'}=~/ name="([^"]*)"/; $param .= $TAINTED; # Bug: Netscape doesn't escape quotation marks in file names!!! - my($filename) = $header{'Content-Disposition'}=~/ filename="([^;]*)"/; + my($filename) = $header{'Content-Disposition'}=~/ filename="([^"]*)"/; # Test for Opera's multiple upload feature my($multipart) = ( defined( $header{'Content-Type'} ) && $header{'Content-Type'} =~ /multipart\/mixed/ ) ?