Package: libplack-perl Severity: important Dear maintainer,
Your package uses the Perl module HTTP::Tiny, but it does not force the verify_SSL attribute to a true value. By default, HTTP::Tiny does not validate the identity of server certificates. The documentation states that "Server identity verification is controversial and potentially tricky..." [1] As late as 2015, upstream has been doubling up: "we're not going to be responsible for the user's trust model" [2] I believe, on the other hand, that the encryption of a transmission has no value when talking to the wrong person. You can easily see HTTP::Tiny's useless and dangerous default in Plack::LWPish by running the script at the end of this message. Will you please turn on the verify_SSL attribute in HTTP::Tiny? Alternatively, please alert your users so they do not rely on standard HTTPS security guarantees when using your module. Kind regards Felix Lechner [1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT [2] https://github.com/chansen/p5-http-tiny/issues/68 * * * #!/usr/bin/perl use HTTP::Request; use Plack::LWPish; my $request = HTTP::Request->new(GET => 'https://self-signed.badssl.com/'); my $ua = Plack::LWPish->new; my $response = $ua->request($request); # returns HTTP::Response if ($response->is_success) { print $response->decoded_content; } else { print STDERR $response->status_line, "\n"; }
