Package: libmenlo-perl
Severity: important
Dear maintainer,
In the module lib/Menlo/Index/MetaCPAN.pm, your package performs a
download from a secure URL but does not enable server verification in
HTTP::Tinyish.
I believe the encryption of a transmission has no value when talking
to the wrong person. Users of your package may not realize that
verification is turned off. You can see the dangerous default by
running the script at the end of this message.
Will you please turn on SSL verification for HTTP::Tinyish?
Kind regards
Felix Lechner
* * *
#!/usr/bin/perl
use HTTP::Tinyish;
my $response = HTTP::Tinyish->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
