Bug#954059: libmenlo-perl: Please verify server identity via SSL
Felix Lechner
felix.lechner at lease-up.com
Mon Mar 16 04:35:45 GMT 2020
Package: libmenlo-perl
Severity: important
Dear maintainer,
In the module lib/Menlo/Index/MetaCPAN.pm, your package performs a
download from a secure URL but does not enable server verification in
HTTP::Tinyish.
I believe the encryption of a transmission has no value when talking
to the wrong person. Users of your package may not realize that
verification is turned off. You can see the dangerous default by
running the script at the end of this message.
Will you please turn on SSL verification for HTTP::Tinyish?
Kind regards
Felix Lechner
* * *
#!/usr/bin/perl
use HTTP::Tinyish;
my $response = HTTP::Tinyish->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
More information about the pkg-perl-maintainers
mailing list