Security Advisories (4)

CVE-2010-2253 (2010-07-06)

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CPANSA-libwww-perl-2001-01 (2001-03-14)

If LWP::UserAgent::env_proxy is called in a CGI environment, the case-insensitivity when looking for "http_proxy" permits "HTTP_PROXY" to be found, but this can be trivially set by the web client using the "Proxy:" header.

CVE-2011-0633 (2011-01-20)

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated.

CPANSA-libwww-perl-2017-01 (2017-11-06)

LWP::Protocol::file can open existent file from file:// scheme. However, current version of LWP uses open FILEHANDLE,EXPR and it has ability to execute arbitrary command

https://github.com/libwww-perl/libwww-perl/pull/270

NAME

uf_urlstr - Expand URL using heuristics

SYNOPSIS

use URI::Heuristic qw(uf_urlstr);
$url = uf_urlstr("perl");             # http://www.perl.com
$url = uf_urlstr("www.sol.no/sol");   # http://www.sol.no/no
$url = uf_urlstr("aas");              # http://www.aas.no
$url = uf_urlstr("ftp.funet.fi");     # ftp://ftp.funet.fi
$url = uf_urlstr("/etc/passwd");      # file:/etc/passwd

DESCRIPTION

This module provide functions that expand strings into real URLs using some (random) heuristics. Already expanded URLs are not modified and are returned unchanged.

The following functions are provided:

uf_urlstr($str): The uf_urlstr() function will try to make the string passed as argument into a proper absolute URL string. The "uf_" prefix stands for "User Friendly".
uf_url($str): This functions work the same way as uf_urlstr() but it will return a URI::URL object.

ENVIRONMENT

If the hostname portion of a URL does not contain any dots, then centain qualified guesses will be made. These guesses are governed be the following two environment variables.

COUNTRY

This is the two letter country code (ISO 3166) for your location. If the domain name of your host ends with two letters, then it is taken to be the default country. See also Locale::Country.

URL_GUESS_PATTERN

Contain a space separated list of URL patterns to try. The string "ACME" is used as a placeholder for the host name in the URL provided. Example:

URL_GUESS_PATTERN="www.ACME.no www.ACME.se www.ACME.com"
export URL_GUESS_PATTERN

Specifying URL_GUESS_PATTERN disables any guessing rules based on country. An empty URL_GUESS_PATTERN disables any guessing that involves host name lookups.

COPYRIGHT

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install LWP, copy and paste the appropriate command in to your terminal.

cpanm

cpanm LWP

CPAN shell

perl -MCPAN -e shell
install LWP

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

ENVIRONMENT

COPYRIGHT

Module Install Instructions

Keyboard Shortcuts