Front page | perl.libwww |
Postings from March 2001
[Seems like Gnus' MIME composition support is a bit flaky, so let me redo
the message without the MIMEs.]
A new release of libwww-perl should now be on CPAN. This release
contains an important security fix for those that use LWP from CGI
scripts. It is recommended that everybody that use LWP::UserAgent
(including LWP::Simple) in CGI scripts upgrade to this release. If
you don't feel like upgrading you should at least apply the attached
patch to the 'env_proxy' method.
Changes since release 5.50 are:
SECURITY FIX: If LWP::UserAgent::env_proxy is called in a CGI
environment, the case-insensitivity when looking for "http_proxy"
permits "HTTP_PROXY" to be found, but this can be trivially set by the
web client using the "Proxy:" header. The fix applied is that
$ENV{HTTP_PROXY} is not longer honored for CGI scripts.
The CGI_HTTP_PROXY environment variable can be used instead.
Problem reported by Randal L. Schwartz.
Fix qop="auth" handling for Digest authentication.
Patch by Dave Dunkin <dave_dunkin@hotmail.com>.
Explicit setting of action on HTML::Form had no effect because
of a code typo. Patch by BooK <book@netcourrier.com>.
HTTP::Daemon: The CONNECT method need special treatment because
it does not provide a URI as argument (just a "hostname:port").
The non-upward compatibility warning is that you must now call
$request->url->host_port to get the host/port string for CONNECT,
rather than calling $request->url and using the entire string.
Based on patch from Randal L. Schwartz <merlyn@stonehenge.com>
HTTP::Daemon: Create self URL based on $self->sockaddr. This works
better when LocalAddr is used to specify the port number. Based on
patch from Ben Low <ben@snrc.uow.edu.au>.
Avoid potential '<FILE> chunk 1' messages at the end of the response
'message'.
Regards,
Gisle
Index: lib/LWP/UserAgent.pm
===================================================================
RCS file: /cvsroot/libwww-perl/lwp5/lib/LWP/UserAgent.pm,v
retrieving revision 1.74
retrieving revision 1.77
diff -u -p -u -r1.74 -r1.77
--- lib/LWP/UserAgent.pm 2000/06/01 13:35:15 1.74
+++ lib/LWP/UserAgent.pm 2001/03/14 20:48:19 1.77
@@ -627,12 +627,24 @@ specify proxies like this (sh-syntax):
Csh or tcsh users should use the C<setenv> command to define these
environment variables.
+On systems with case-insensitive environment variables there exists a
+name clash between the CGI environment variables and the C<HTTP_PROXY>
+environment variable normally picked up by env_proxy(). Because of
+this C<HTTP_PROXY> is not honored for CGI scripts. The
+C<CGI_HTTP_PROXY> environment variable can be used instead.
+
=cut
sub env_proxy {
my ($self) = @_;
my($k,$v);
while(($k, $v) = each %ENV) {
+ if ($ENV{REQUEST_METHOD}) {
+ # Need to be careful when called in the CGI environment, as
+ # the HTTP_PROXY variable is under control of that other guy.
+ next if $k =~ /^HTTP_/;
+ $k = "HTTP_PROXY" if $k eq "CGI_HTTP_PROXY";
+ }
$k = lc($k);
next unless $k =~ /^(.*)_proxy$/;
$k = $1;
Thread Previous