Bug #22680 for MIME-tools: [PATCH] MIME/Body.pm (open): protection against malicious filenames

Sat Oct 28 06:21:10 2006 at [...] altlinux.ru - Ticket created

Subject:	[PATCH] MIME/Body.pm (open): protection against malicious filenames
Date:	Sat, 28 Oct 2006 14:20:22 +0400
To:	bug-mime-tools [...] rt.cpan.org
From:	Alexey Tourbin <at [...] altlinux.ru>

This makes MIME::Body work with malicious filenames, e.g. filenames with leading and trailing whitespaces. The following now works: perl -MMIME::Body -le 'print MIME::Body::File->new(" bad file ")->open("r")' This also prevents special open metacharacters from being interpreted. See perlopentut for details. --- lib/MIME/Body.pm | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/MIME/Body.pm b/lib/MIME/Body.pm index 8b9117a..02f25bb 100644 --- a/lib/MIME/Body.pm +++ b/lib/MIME/Body.pm @@ -428,11 +428,15 @@ sub open { my ($self, $mode) = @_; my $IO; my $path = $self->path; + if ($path =~ /^\s+/) { + require File::Spec; + $path = File::Spec->catfile(File::Spec->curdir, $path); + } if ($mode eq 'w') { ### writing - $IO = FileHandle->new(">$path") || die "write-open $path: $!"; + $IO = FileHandle->new("> $path\0") || die "write-open $path: $!"; } elsif ($mode eq 'r') { ### reading - $IO = FileHandle->new("<$path") || die "read-open $path: $!"; + $IO = FileHandle->new("< $path\0") || die "read-open $path: $!"; } else { die "bad mode: '$mode'"; -- 1.4.3.GIT

Wed Aug 29 13:25:27 2007 dmo+pause [...] dmo.ca - Correspondence added

This should be a non-issue now that we're using the two-arg version of open in MIME::Body::File. I've added a test to t/Body.t to ensure that this doesn't regress.

Wed Aug 29 13:25:30 2007 The RT System itself - Status changed from 'new' to 'open'

Wed Aug 29 13:25:33 2007 dmo+pause [...] dmo.ca - Status changed from 'open' to 'resolved'