Description: Allow only word characters in filename suffixes
 CVE-2013-4407: Allow only word characters in filename suffixes. An
 attacker able to upload files to a service that uses
 HTTP::Body::Multipart could use this issue to upload a file and create
 a specifically-crafted temporary filename on the server, that when
 processed without further validation, could allow execution of commands
 on the server.
Origin: vendor
Forwarded: no
Author: Salvatore Bonaccorso <>
Last-Update: 2013-10-21

Updated by Andreas K. Huettel <> for HTTP-Body-1.19
Updated by Andreas K. Huettel <> for HTTP-Body-1.23
 This version has a fix for the CVE, but the stricter regexp has served
 us well so far...

diff -ruN HTTP-Body-1.23.orig/lib/HTTP/Body/ HTTP-Body-1.23/lib/HTTP/Body/
--- HTTP-Body-1.23.orig/lib/HTTP/Body/	2024-03-30 14:27:57.000000000 +1100
+++ HTTP-Body-1.23/lib/HTTP/Body/	2024-05-02 13:07:21.794271606 +1100
@@ -255,7 +255,7 @@
-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
+our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
 our $file_temp_suffix = '.upload';
 our $file_temp_template;
 our %file_temp_parameters;