Security Advisories (3)

CVE-2010-2253 (2010-07-06)

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CVE-2011-0633 (2011-01-20)

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated.

CPANSA-libwww-perl-2017-01 (2017-11-06)

LWP::Protocol::file can open existent file from file:// scheme. However, current version of LWP uses open FILEHANDLE,EXPR and it has ability to execute arbitrary command

https://github.com/libwww-perl/libwww-perl/pull/270

NAME

lwp-dump - See what headers and content is returned for a URL

SYNOPSIS

lwp-dump [ options ] URL

DESCRIPTION

The lwp-dump program will get the resource indentified by the URL and then dump the response object to STDOUT. This will display the headers returned and the initial part of the content, escaped so that it's safe to display even binary content. The escapes syntax used is the same as for Perl's double quoted strings. If there is no content the string "(no content)" is shown in its place.

The following options are recognized:

--agent str

Override the user agent string passed to the server.

--keep-client-headers

LWP internally generate various Client-* headers that are stripped by lwp-dump in order to show the headers exactly as the server provided them. This option will suppress this.

--max-length n

How much of the content to show. The default is 512. Set this to 0 for unlimited.

If the content is longer then the string is chopped at the limit and the string "...\n(### more bytes not shown)" appended.

--method str

Use the given method for the request instead of the default "GET".

--parse-head

By default lwp-dump will not try to initialize headers by looking at the head section of HTML documents. This option enables this. This corresponds to "parse_head" in LWP::UserAgent.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

SEE ALSO

Module Install Instructions

Keyboard Shortcuts