/ 
libwww-perl-5b6
/ LWP
Security Advisories (4)
CVE-2010-2253 (2010-07-06)

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CPANSA-libwww-perl-2001-01 (2001-03-14)

If LWP::UserAgent::env_proxy is called in a CGI environment, the case-insensitivity when looking for "http_proxy" permits "HTTP_PROXY" to be found, but this can be trivially set by the web client using the "Proxy:" header.

CVE-2011-0633 (2011-01-20)

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated.

CPANSA-libwww-perl-2017-01 (2017-11-06)

LWP::Protocol::file can open existent file from file:// scheme. However, current version of LWP uses open FILEHANDLE,EXPR and it has ability to execute arbitrary command

NAME

LWP - Library for WWW access in Perl

ARCHITECTURE

The architecture of the library is object oriented. The user agent, requests sent and responses received from the WWW server are all represented by objects. This makes a simple but yet powerful interface to these services. The interface is easy to extend and customize for your needs.

You should first read the documentation for LWP::UserAgent. Then you might want to look at how the scripts request and mirror are implemented. More examples are found among the tests in the t directory.

Overview of classes and packages

This table should give you a quick overview of the classes used by the library. Indentation shows class inheritance.

LWP::MemberMixin   -- Access to member variables of Perl5 classes
  LWP::UserAgent   -- WWW user agent class
  LWP::Protocol          -- Interface to various protocol schemes
    LWP::Protocol::http  -- http:// access
    LWP::Protocol::file  -- file:// access
    ...

LWP::Socket        -- Socket creation and reading (LWP::Protocol::http)

HTTP::Headers      -- MIME/RFC822 style header (used by HTTP::Message)
HTTP::Message      -- HTTP style message
  HTTP::Request    -- HTTP request
  HTTP::Response   -- HTTP response

URI::URL           -- Uniform Resource Locators

The following modules provide various functions and definitions.

LWP                -- This file.  Library version number.
LWP::MediaTypes    -- MIME types configuration (text/html etc.)
LWP::Debug         -- Debug logging module
LWP::Simple        -- Simplified procedural interface for common functions
HTTP::Status       -- HTTP status code (200 OK etc)
HTTP::Date         -- Date parsing module for HTTP date formats

ACKNOWLEDGEMENTS

This package ows a lot in motivation, design, and code, to the libwww-perl library for Perl 4, maintained by Roy Fielding <fielding@ics.uci.edu>.

That package used work from Alberto Accomazzi, James Casey, Brooks Cutter, Martijn Koster, Oscar Nierstrasz, Mel Melchner, Gertjan van Oosten, Jared Rhine, Jack Shirazi, Gene Spafford, Marc VanHeyningen, Steven E. Brenner, Marion Hakanson, Waldemar Kebsch, Tony Sanders, and Larry Wall; see the libwww-perl library for details.

The primary architect for this Perl 5 library is Martijn Koster and Gisle Aas, with lots of help from Graham Barr, Tim Bunce, Andreas Koenig, Jared Rhine, and Jack Shirazi.

COPYRIGHT

Copyright (c) 1995 Martijn Koster. All rights reserved. Copyright (c) 1995 Gisle Aas. All rights reserved.

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

AVAILABILITY

The latest version of this library is likly to be available from:

http://www.oslonett.no/home/aas/perl/www/

The best place to discuss this code is on the <libwww-perl@ics.uci.edu> mailing list. The email addresses of the principal authors are <m.koster@webcrawler.com> and <aas@oslonett.no>.