develooper Front page | perl.libwww | Postings from March 2001

Re: libwww-perl-5.51 (with CGI security fix)

Thread Previous
Gisle Aas
March 15, 2001 12:34
Re: libwww-perl-5.51 (with CGI security fix)
Message ID:
[Seems like Gnus' MIME composition support is a bit flaky, so let me redo
the message without the MIMEs.]

A new release of libwww-perl should now be on CPAN.  This release
contains an important security fix for those that use LWP from CGI
scripts.  It is recommended that everybody that use LWP::UserAgent
(including LWP::Simple) in CGI scripts upgrade to this release.  If
you don't feel like upgrading you should at least apply the attached
patch to the 'env_proxy' method.
Changes since release 5.50 are:

    SECURITY FIX: If LWP::UserAgent::env_proxy is called in a CGI
    environment, the case-insensitivity when looking for "http_proxy"
    permits "HTTP_PROXY" to be found, but this can be trivially set by the
    web client using the "Proxy:" header.  The fix applied is that
    $ENV{HTTP_PROXY} is not longer honored for CGI scripts.
    The CGI_HTTP_PROXY environment variable can be used instead.
    Problem reported by Randal L. Schwartz.
    Fix qop="auth" handling for Digest authentication.
    Patch by Dave Dunkin <>.
    Explicit setting of action on HTML::Form had no effect because
    of a code typo.  Patch by BooK <>.
    HTTP::Daemon: The CONNECT method need special treatment because
    it does not provide a URI as argument (just a "hostname:port").
    The non-upward compatibility warning is that you must now call
    $request->url->host_port to get the host/port string for CONNECT,
    rather than calling $request->url and using the entire string.
    Based on patch from Randal L. Schwartz <>
    HTTP::Daemon: Create self URL based on $self->sockaddr.  This works
    better when LocalAddr is used to specify the port number.  Based on
    patch from Ben Low <>.
    Avoid potential '<FILE> chunk 1' messages at the end of the response


Index: lib/LWP/
RCS file: /cvsroot/libwww-perl/lwp5/lib/LWP/,v
retrieving revision 1.74
retrieving revision 1.77
diff -u -p -u -r1.74 -r1.77
--- lib/LWP/	2000/06/01 13:35:15	1.74
+++ lib/LWP/	2001/03/14 20:48:19	1.77
@@ -627,12 +627,24 @@ specify proxies like this (sh-syntax):
 Csh or tcsh users should use the C<setenv> command to define these
 environment variables.
+On systems with case-insensitive environment variables there exists a
+name clash between the CGI environment variables and the C<HTTP_PROXY>
+environment variable normally picked up by env_proxy().  Because of
+this C<HTTP_PROXY> is not honored for CGI scripts.  The
+C<CGI_HTTP_PROXY> environment variable can be used instead.
 sub env_proxy {
     my ($self) = @_;
     while(($k, $v) = each %ENV) {
+	    # Need to be careful when called in the CGI environment, as
+	    # the HTTP_PROXY variable is under control of that other guy.
+	    next if $k =~ /^HTTP_/;
+	    $k = "HTTP_PROXY" if $k eq "CGI_HTTP_PROXY";
+	}
 	$k = lc($k);
 	next unless $k =~ /^(.*)_proxy$/;
 	$k = $1;

Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About