Security Advisories (5)
CPANSA-libwww-perl-2017-01 (2017-11-06)

LWP::Protocol::file can open existent file from file:// scheme. However, current version of LWP uses open FILEHANDLE,EXPR and it has ability to execute arbitrary command

CVE-2011-0633 (2011-01-20)

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated.

CVE-2010-2253 (2010-07-06)

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CPANSA-libwww-perl-2001-01 (2001-03-14)

If LWP::UserAgent::env_proxy is called in a CGI environment, the case-insensitivity when looking for "http_proxy" permits "HTTP_PROXY" to be found, but this can be trivially set by the web client using the "Proxy:" header.

CVE-2026-8368 (2026-05-12)

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes. A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.

NAME

HTTP::Headers - Class encapsulating HTTP Message headers

SYNOPSIS

require HTTP::Headers;
$request = new HTTP::Headers;

DESCRIPTION

HTTP::Headers is a class encapsulating HTTP style message headers: attribute value pairs which may be repeated, and are printed in a particular order.

Instances of this class are usually created as member variables of the HTTP::Request and HTTP::Response classes, internally to the library.

METHODS

new()

Constructs a new HTTP::Headers object. You might pass some initial headers as parameters to the constructor. E.g.:

$h = new HTTP::Headers
    'Content-Type' => 'text/html',
    'MIME-Version' => '1.0',
    'Date'         => 'Thu, 03 Feb 1994 00:00:00 GMT';

clone()

Returns a copy of the object.

header($field [, $val],...)

Get/Set the value of a request header. The header field name is not case sensitive. The value argument may be a scalar or a reference to a list of scalars. If the value argument is not defined the header is not modified.

The method also accepts multiple ($field => $value) pairs.

The list of previous values for the last $field is returned. Only the first header value is returned in scalar context.

 $header->header('MIME-Version' => '1.0',
		 'User-Agent'   => 'My-Web-Client/0.01');
 $header->header('Accept' => "text/html, text/plain, image/*");
 @accepts = $header->header('Accept');

pushHeader($field, $val)

Add a new value to a field of the request header. The header field name is not case sensitive. The field need not already have a value. Duplicates are retained. The argument may be a scalar or a reference to a list of scalars.

$header->pushHeader('Accept' => 'image/jpeg');

removeHeader($field,...)

This function removes the headers with the specified names.

scan(\&doit)

Apply the subroutine to each header in turn. The routine is called with two parameters; the name of the field and a single value. If the header has more than one value, then the routine is called once for each value. The scan() routine uses case for the field name as suggested by HTTP Spec, and follows recommended "Good Practice" of ordering the header fields.

asString([$endl])

Return the header fields as a formatted MIME header. Since it uses scan() to build the string, the result will use case as suggested by HTTP Spec, and it will follow recommended "Good Practice" of ordering the header fieds.