Security Advisories (5)
CPANSA-libwww-perl-2017-01 (2017-11-06)

LWP::Protocol::file can open existent file from file:// scheme. However, current version of LWP uses open FILEHANDLE,EXPR and it has ability to execute arbitrary command

CVE-2011-0633 (2011-01-20)

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated.

CVE-2010-2253 (2010-07-06)

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CPANSA-libwww-perl-2001-01 (2001-03-14)

If LWP::UserAgent::env_proxy is called in a CGI environment, the case-insensitivity when looking for "http_proxy" permits "HTTP_PROXY" to be found, but this can be trivially set by the web client using the "Proxy:" header.

CVE-2026-8368 (2026-05-12)

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes. A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.

NAME

LWP::Protocol - Virtual base class for LWP protocols

DESCRIPTION

This class is the parent for all access method supported by the LWP library. It is used internally in the library.

When creating an instance of this class using LWP::Protocol::new() you pass a URL, and you get a initialised subclass appropriate for that access method. In other words, the constructor for this class calls the constructor for one of its subclasses;

The LWP::Protocol classes need to override the request() function which is used to request service for an access method. The overridden method can make use of the collect() function to collect together chunks of data received.

SEE ALSO

Inspect the LWP/Protocol/file.pm and LWP/Protocol/http.pm files for examples of usage.

METHODS AND FUNCTIONS

new

The LWP::Protocol constructor is inherited by subclasses. As this is a virtual base class this method should not be called like:

$prot = new LWP::Protocol()

LWP::Protocol::create($url)

Create an object of the class implementing the protocol to handle the given scheme. This is a function, not a method. It is more an object factory than a constructor. This is the function user agents should use to access protocols.

LWP::Protocol::implementor

LWP::Protocol::implementor($scheme);
LWP::Protocol::implementor($scheme, $class);

Get and/or set implementor class for a scheme. Returns '' if the specified scheme is not supported.

request(...)

$response = $protocol->request($request, $proxy, undef);
$response = $protocol->request($request, $proxy, '/tmp/sss');
$response = $protocol->request($request, $proxy, \&callback, 1024);

Dispactches a request over the protocol, and returns a response object. This method needs to be overridden in subclasses.

timeout($seconds)

Get and set the timeout value in seconds

useAlarm($yesno)

Indicates if the library is allowed to use the core alarm() function to implement timeouts.

collect($arg, $response, $collector)

Called to collect the content of a request, and process it appropriately into a scalar, file, or by calling a callback.

Note: We will only use the callback if $response->isSuccess(). This avoids sendig content data for redirects and authentization responses to the callback which would be confusing.