Bug#954058: libhttp-tinyish-perl: Please verify server identity via SSL

Felix Lechner felix.lechner at lease-up.com
Mon Mar 16 04:24:42 GMT 2020


Package: libhttp-tinyish-perl
Severity: important

Dear maintainer,

Your package performs downloads that are presumed to be secure via
https:// but does not verify any server certificates.

I believe the encryption of a transmission has no value when talking
to the wrong person. Users of your package may not realize that
verification is turned off. You can see the dangerous default by
running the script at the end of this message.

Will you please turn on SSL verification in HTTP::Tinyish?

Kind regards
Felix Lechner

* * *

#!/usr/bin/perl

use HTTP::Tinyish;

my $response = HTTP::Tinyish->new->get('https://self-signed.badssl.com/');
 die "Failed!\n"
    unless $response->{success};

print "$response->{status} $response->{reason}\n";

while (my ($k, $v) = each %{$response->{headers}}) {
    for (ref $v eq 'ARRAY' ? @$v : $v) {
        print "$k: $_\n";
    }
}

print $response->{content}
    if length $response->{content};



More information about the pkg-perl-maintainers mailing list