Bug#954058: libhttp-tinyish-perl: Please verify server identity via SSL
Felix Lechner
felix.lechner at lease-up.com
Mon Mar 16 04:24:42 GMT 2020
Package: libhttp-tinyish-perl
Severity: important
Dear maintainer,
Your package performs downloads that are presumed to be secure via
https:// but does not verify any server certificates.
I believe the encryption of a transmission has no value when talking
to the wrong person. Users of your package may not realize that
verification is turned off. You can see the dangerous default by
running the script at the end of this message.
Will you please turn on SSL verification in HTTP::Tinyish?
Kind regards
Felix Lechner
* * *
#!/usr/bin/perl
use HTTP::Tinyish;
my $response = HTTP::Tinyish->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
More information about the pkg-perl-maintainers
mailing list