Bug#954089: libplack-perl: Please verify server identity via SSL
Felix Lechner
felix.lechner at lease-up.com
Mon Mar 16 15:28:07 GMT 2020
Package: libplack-perl
Severity: important
Dear maintainer,
Your package uses the Perl module HTTP::Tiny, but it does not force
the verify_SSL attribute to a true value.
By default, HTTP::Tiny does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]
As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]
I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see
HTTP::Tiny's useless and dangerous default in Plack::LWPish by running
the script at the end of this message.
Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Alternatively, please alert your users so they do not rely on standard
HTTPS security guarantees when using your module.
Kind regards
Felix Lechner
[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68
* * *
#!/usr/bin/perl
use HTTP::Request;
use Plack::LWPish;
my $request = HTTP::Request->new(GET => 'https://self-signed.badssl.com/');
my $ua = Plack::LWPish->new;
my $response = $ua->request($request); # returns HTTP::Response
if ($response->is_success) {
print $response->decoded_content;
} else {
print STDERR $response->status_line, "\n";
}
More information about the pkg-perl-maintainers
mailing list