Bug#954109: librole-rest-client-perl: Please verify server identity via SSL
Felix Lechner
felix.lechner at lease-up.com
Mon Mar 16 22:12:37 GMT 2020
Package: librole-rest-client-perl
Severity: important
Dear maintainer,
Your package uses the Perl module HTTP::Tiny, but it does not force
the verify_SSL attribute to a true value.
By default, HTTP::Tiny does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]
As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]
I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see
HTTP::Tiny's useless and dangerous default in Role::REST::Client by
running the script at the end of this message.
Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Alternatively, please alert your users so they do not rely on standard
HTTPS security guarantees when using your module.
Kind regards
Felix Lechner
[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68
* * *
#!/usr/bin/perl
{
package RESTExample;
use Moo;
with 'Role::REST::Client';
sub access {
my ($self) = @_;
my $response = $self->get('/');
return $response->data
if $response->code == 200;
}
}
my $badssl = RESTExample->new(server => 'https://self-signed.badssl.com/');
print $badssl->access;
More information about the pkg-perl-maintainers
mailing list