dev-perl/HTTP-Body: add 1.230.0

Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

3 files changed, 77 insertions, 0 deletions

diff --git a/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild b/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild
new file mode 100644
index 000000000000..4e35d76d651b
--- /dev/null
+++ b/dev-perl/HTTP-Body/HTTP-Body-1.230.0.ebuild
@@ -0,0 +1,43 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DIST_AUTHOR=GETTY
+DIST_VERSION=1.23
+inherit perl-module
+
+DESCRIPTION="HTTP Body Parser"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~ppc64 ~sparc ~x86"
+
+# HTTP::Headers -> HTTP-Message
+# HTTP::Request::Common -> HTTP-Message
+# IO::File -> IO
+RDEPEND="
+	virtual/perl-Carp
+	virtual/perl-Digest-MD5
+	>=virtual/perl-File-Temp-0.140.0
+	dev-perl/HTTP-Message
+	>=virtual/perl-IO-1.140.0
+"
+BDEPEND="${RDEPEND}
+	virtual/perl-ExtUtils-MakeMaker
+	test? (
+		virtual/perl-Encode
+		virtual/perl-File-Spec
+		>=virtual/perl-File-Temp-0.140.0
+		dev-perl/HTTP-Message
+		dev-perl/Test-Deep
+		>=virtual/perl-Test-Simple-0.860.0
+	)
+"
+
+PERL_RM_FILES=(
+	t/02pod.t
+	t/03podcoverage.t
+	t/04critic.t
+)
+
+PATCHES=( "${FILESDIR}/${PN}-1.230.0-CVE-2013-4407.patch" )
diff --git a/dev-perl/HTTP-Body/Manifest b/dev-perl/HTTP-Body/Manifest
index d2a831ea78f3..381c6924aeb3 100644
--- a/dev-perl/HTTP-Body/Manifest
+++ b/dev-perl/HTTP-Body/Manifest
@@ -1 +1,2 @@
 DIST HTTP-Body-1.22.tar.gz 26163 BLAKE2B c6b2cf67fd9964fe253251dd91a67b11563c3cb157ad670733254acb3d44fcede97dcfb84d09ed52bc9f8cc60275838abd8f110aa01aed3bb18400bcc108b255 SHA512 62665989d76699a3c3747d8f4e23d2009488bc229220bcf6fc07fc425e6ac5118f6ea48c75af681c2f29e9ed644d7a7979368cc36df77aca0544786b523c9cfe
+DIST HTTP-Body-1.23.tar.gz 26980 BLAKE2B 2ad08b894a26a06089dff6294f978583d49ee5aa770fb195d01fc6db7a39bda0cb831ed5137afabbc75598e2dbe3fb8dd0681f688776270d01f99498abb17c23 SHA512 b02fb8652ceebdaa858ff12fe759ded62eefa7f23e5bf8b90e31a52d4433f13d29986f9646141b92a6a4ea58e1be007c6f675c3e2b26559fa0ff9333e69f3ebb
diff --git a/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch b/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch
new file mode 100644
index 000000000000..e4046ec3fec3
--- /dev/null
+++ b/dev-perl/HTTP-Body/files/HTTP-Body-1.230.0-CVE-2013-4407.patch
@@ -0,0 +1,33 @@
+Description: Allow only word characters in filename suffixes
+ CVE-2013-4407: Allow only word characters in filename suffixes. An
+ attacker able to upload files to a service that uses
+ HTTP::Body::Multipart could use this issue to upload a file and create
+ a specifically-crafted temporary filename on the server, that when
+ processed without further validation, could allow execution of commands
+ on the server.
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=88342
+Bug-Debian: http://bugs.debian.org/721634
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005669
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-10-21
+
+Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.19
+Updated by Andreas K. Huettel <dilfridge@gentoo.org> for HTTP-Body-1.23
+ This version has a fix for the CVE, but the stricter regexp has served
+ us well so far...
+
+diff -ruN HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm
+--- HTTP-Body-1.23.orig/lib/HTTP/Body/MultiPart.pm	2024-03-30 14:27:57.000000000 +1100
++++ HTTP-Body-1.23/lib/HTTP/Body/MultiPart.pm	2024-05-02 13:07:21.794271606 +1100
+@@ -255,7 +255,7 @@
+ 
+ =cut
+ 
+-our $basename_regexp = qr/[^.]+(\.[^\\\/]+)$/;
++our $basename_regexp = qr/(\.\w+(?:\.\w+)*)$/;
+ our $file_temp_suffix = '.upload';
+ our $file_temp_template;
+ our %file_temp_parameters;
+