Bug #46911 for libwww-perl: HTML::Form Security problem

RT for rt.cpan.org

This queue is for tickets about the libwww-perl CPAN distribution.

Report information

The Basics

Id:	46911
Status:	resolved
Priority:	0/
Queue:	libwww-perl

People

Owner:	Nobody in particular
Requestors:	m-uchino [...] yetipapa.com
Cc:
AdminCc:

Bug Information

Severity:	(no value)
Broken in:	(no value)
Fixed in:	(no value)

History Show all quoted text

Sat Jun 13 05:28:58 2009 m-uchino [...] yetipapa.com - Ticket created

Subject:

HTML::Form Security problem

(Sorry, my English is poor.) HTML::Form->parse accepts '<input type="file" value="/usr/bin/passwd">'. Therefore, HTML::Form accesses this file when a form is submited before we notice it. parse method should not accept an initial value of type="file" so that much Web browsers are so.

Sat Jun 13 07:32:14 2009 GAAS [...] cpan.org - Correspondence added

Fixed in http://github.com/gisle/libwww- perl/commit/fa138a1c225dfa42e3dc804e6db943aa3d12798f

Sat Jun 13 07:32:14 2009 The RT System itself - Status changed from 'new' to 'open'

Sat Jun 13 07:32:15 2009 GAAS [...] cpan.org - Status changed from 'open' to 'resolved'