From 959037a055713bbf644c83e4acd1a40a7f4d58c7 Mon Sep 17 00:00:00 2001
From: Marko Asplund <aspa@merlot.kronodoc.fi>
Date: Fri, 4 Nov 2005 15:40:05 +0200
Subject: [PATCH] [perl #37607] CGI file upload file name parsing errors
 Message-ID: <5.8.7_13518_1131102897@merlot.kronodoc.fi>

p4raw-id: //depot/perl@32683
---
 lib/CGI.pm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/CGI.pm b/lib/CGI.pm
index bd665b5..0e23450 100644
--- a/lib/CGI.pm
+++ b/lib/CGI.pm
@@ -19,7 +19,7 @@ use Carp 'croak';
 #   http://stein.cshl.org/WWW/software/CGI/
 
 $CGI::revision = '$Id: CGI.pm,v 1.240 2007/11/30 18:58:27 lstein Exp $';
-$CGI::VERSION='3.31';
+$CGI::VERSION='3.31_01';
 
 # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
 # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
@@ -3379,7 +3379,11 @@ sub read_multipart {
         $param .= $TAINTED;
 
 	# Bug:  Netscape doesn't escape quotation marks in file names!!!
-	my($filename) = $header{'Content-Disposition'}=~/ filename="([^"]*)"/;
+	# See RFC 1867, 2183, 2045
+	# NB: File content will be loaded into memory should
+	# content-disposition parsing fail.
+	my ($filename) = $header{'Content-Disposition'}=~/ filename=(("[^"]*")|([a-z\d!\#'\*\+,\.^_\`\{\}\|\~]*))/i;
+	$filename =~ s/^"([^"]*)"$/$1/;
 	# Test for Opera's multiple upload feature
 	my($multipart) = ( defined( $header{'Content-Type'} ) &&
 		$header{'Content-Type'} =~ /multipart\/mixed/ ) ?
-- 
1.8.3.1