Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package perl-libwww-perl for
openSUSE:Factory checked in at 2026-05-14 21:41:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-libwww-perl (Old)
and /work/SRC/openSUSE:Factory/.perl-libwww-perl.new.1966 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-libwww-perl"
Thu May 14 21:41:47 2026 rev:98 rq:1352972 version:6.830.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-libwww-perl/perl-libwww-perl.changes
2026-04-10 17:43:09.737465986 +0200
+++
/work/SRC/openSUSE:Factory/.perl-libwww-perl.new.1966/perl-libwww-perl.changes
2026-05-14 21:41:53.547980122 +0200
@@ -1,0 +2,19 @@
+Wed May 13 10:48:36 UTC 2026 - Tina Müller <[email protected]>
+
+- updated to 6.830.0 (6.83)
+ see /usr/share/doc/packages/perl-libwww-perl/Changes
+
+ 6.83 2026-05-12 11:41:48Z
+ - LWP::UserAgent now strips Authorization and Proxy-Authorization headers
+ on cross-origin redirects (a different scheme, host, or port) to
prevent
+ credential leakage to the redirect target. Same-origin redirects retain
+ credentials. Opt out with allow_credentialed_redirects => 1.
+ CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig
+ Palmquist.
+ - LWP::UserAgent now refuses https to http redirects by default to
prevent
+ leaking remaining request headers and bodies over plaintext. Opt in
with
+ allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by
+ Stig Palmquist.
+ bsc#1265156
+
+-------------------------------------------------------------------
Old:
----
libwww-perl-6.82.tar.gz
New:
----
libwww-perl-6.83.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-libwww-perl.spec ++++++
--- /var/tmp/diff_new_pack.KSW9pe/_old 2026-05-14 21:41:54.964038134 +0200
+++ /var/tmp/diff_new_pack.KSW9pe/_new 2026-05-14 21:41:54.968038297 +0200
@@ -18,10 +18,10 @@
%define cpan_name libwww-perl
Name: perl-libwww-perl
-Version: 6.820.0
+Version: 6.830.0
Release: 0
-# 6.82 -> normalize -> 6.820.0
-%define cpan_version 6.82
+# 6.83 -> normalize -> 6.830.0
+%define cpan_version 6.83
License: Artistic-1.0 OR GPL-1.0-or-later
Summary: The World-Wide Web library for Perl
URL: https://metacpan.org/release/%{cpan_name}
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.KSW9pe/_old 2026-05-14 21:41:55.008039936 +0200
+++ /var/tmp/diff_new_pack.KSW9pe/_new 2026-05-14 21:41:55.012040100 +0200
@@ -1,6 +1,6 @@
-mtime: 1774854444
-commit: 423336627f3c35a72c913a0a252c3e1aeacab5b79dedae6e946855f982a0e308
-url: https://src.opensuse.org/perl/perl-libwww-perl.git
-revision: 423336627f3c35a72c913a0a252c3e1aeacab5b79dedae6e946855f982a0e308
+mtime: 1778669714
+commit: 7e79b66ddd420584febfdc5724fe7e6e831f6f847fdee9c47f543e0c6dc48ca1
+url: https://src.opensuse.org/perl/perl-libwww-perl
+revision: 7e79b66ddd420584febfdc5724fe7e6e831f6f847fdee9c47f543e0c6dc48ca1
projectscmsync: https://src.opensuse.org/perl/_ObsPrj
++++++ build.specials.obscpio ++++++
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-05-13 12:55:14.000000000 +0200
@@ -0,0 +1 @@
+.osc
++++++ libwww-perl-6.82.tar.gz -> libwww-perl-6.83.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/Changes new/libwww-perl-6.83/Changes
--- old/libwww-perl-6.82/Changes 2026-03-29 19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/Changes 2026-05-12 13:41:52.000000000 +0200
@@ -1,5 +1,17 @@
Change history for libwww-perl
+6.83 2026-05-12 11:41:48Z
+ - LWP::UserAgent now strips Authorization and Proxy-Authorization headers
+ on cross-origin redirects (a different scheme, host, or port) to prevent
+ credential leakage to the redirect target. Same-origin redirects retain
+ credentials. Opt out with allow_credentialed_redirects => 1.
+ CVE-2026-8368 reported by Kai Zen; PoC and initial patch by Stig
+ Palmquist.
+ - LWP::UserAgent now refuses https to http redirects by default to prevent
+ leaking remaining request headers and bodies over plaintext. Opt in with
+ allow_downgrade => 1. Related hardening alongside CVE-2026-8368; PoC by
+ Stig Palmquist.
+
6.82 2026-03-29 17:02:10Z
- Fix env_proxy() warning for unrelated environment variables (GH#501)
(Olaf Alders) with patch provided by @kberry.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/MANIFEST
new/libwww-perl-6.83/MANIFEST
--- old/libwww-perl-6.82/MANIFEST 2026-03-29 19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/MANIFEST 2026-05-12 13:41:52.000000000 +0200
@@ -63,6 +63,7 @@
t/local/http.t
t/local/httpsub.t
t/local/protosub.t
+t/redirect-credential-leak.t
t/redirect.t
t/robot/ua-get.t
t/robot/ua.t
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/META.json
new/libwww-perl-6.83/META.json
--- old/libwww-perl-6.82/META.json 2026-03-29 19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/META.json 2026-05-12 13:41:52.000000000 +0200
@@ -117,96 +117,96 @@
"provides" : {
"LWP" : {
"file" : "lib/LWP.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Authen::Basic" : {
"file" : "lib/LWP/Authen/Basic.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Authen::Digest" : {
"file" : "lib/LWP/Authen/Digest.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Authen::Ntlm" : {
"file" : "lib/LWP/Authen/Ntlm.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::ConnCache" : {
"file" : "lib/LWP/ConnCache.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Debug" : {
"file" : "lib/LWP/Debug.pm",
- "version" : "6.82",
+ "version" : "6.83",
"x_deprecated" : 1
},
"LWP::Debug::TraceHTTP" : {
"file" : "lib/LWP/Debug/TraceHTTP.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::DebugFile" : {
"file" : "lib/LWP/DebugFile.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::MemberMixin" : {
"file" : "lib/LWP/MemberMixin.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol" : {
"file" : "lib/LWP/Protocol.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::cpan" : {
"file" : "lib/LWP/Protocol/cpan.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::data" : {
"file" : "lib/LWP/Protocol/data.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::file" : {
"file" : "lib/LWP/Protocol/file.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::ftp" : {
"file" : "lib/LWP/Protocol/ftp.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::gopher" : {
"file" : "lib/LWP/Protocol/gopher.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::http" : {
"file" : "lib/LWP/Protocol/http.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::loopback" : {
"file" : "lib/LWP/Protocol/loopback.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::mailto" : {
"file" : "lib/LWP/Protocol/mailto.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::nntp" : {
"file" : "lib/LWP/Protocol/nntp.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Protocol::nogo" : {
"file" : "lib/LWP/Protocol/nogo.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::RobotUA" : {
"file" : "lib/LWP/RobotUA.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::Simple" : {
"file" : "lib/LWP/Simple.pm",
- "version" : "6.82"
+ "version" : "6.83"
},
"LWP::UserAgent" : {
"file" : "lib/LWP/UserAgent.pm",
- "version" : "6.82"
+ "version" : "6.83"
}
},
"release_status" : "stable",
@@ -223,10 +223,10 @@
"x_IRC" : "irc://irc.perl.org/#lwp",
"x_MailingList" : "mailto:[email protected]";
},
- "version" : "6.82",
+ "version" : "6.83",
"x_Dist_Zilla" : {
"perl" : {
- "version" : "5.042000"
+ "version" : "5.042002"
},
"plugins" : [
{
@@ -769,7 +769,7 @@
"branch" : null,
"changelog" : "Changes",
"signed" : 0,
- "tag" : "v6.82",
+ "tag" : "v6.83",
"tag_format" : "v%V",
"tag_message" : "v%V"
},
@@ -1042,7 +1042,7 @@
"Yves Orton <[email protected]>",
"Zefram <[email protected]>"
],
- "x_generated_by_perl" : "v5.42.0",
+ "x_generated_by_perl" : "v5.42.2",
"x_serialization_backend" : "Cpanel::JSON::XS version 4.40",
"x_spdx_expression" : "Artistic-1.0-Perl OR GPL-1.0-or-later"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/META.yml
new/libwww-perl-6.83/META.yml
--- old/libwww-perl-6.82/META.yml 2026-03-29 19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/META.yml 2026-05-12 13:41:52.000000000 +0200
@@ -30,74 +30,74 @@
provides:
LWP:
file: lib/LWP.pm
- version: '6.82'
+ version: '6.83'
LWP::Authen::Basic:
file: lib/LWP/Authen/Basic.pm
- version: '6.82'
+ version: '6.83'
LWP::Authen::Digest:
file: lib/LWP/Authen/Digest.pm
- version: '6.82'
+ version: '6.83'
LWP::Authen::Ntlm:
file: lib/LWP/Authen/Ntlm.pm
- version: '6.82'
+ version: '6.83'
LWP::ConnCache:
file: lib/LWP/ConnCache.pm
- version: '6.82'
+ version: '6.83'
LWP::Debug:
file: lib/LWP/Debug.pm
- version: '6.82'
+ version: '6.83'
x_deprecated: 1
LWP::Debug::TraceHTTP:
file: lib/LWP/Debug/TraceHTTP.pm
- version: '6.82'
+ version: '6.83'
LWP::DebugFile:
file: lib/LWP/DebugFile.pm
- version: '6.82'
+ version: '6.83'
LWP::MemberMixin:
file: lib/LWP/MemberMixin.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol:
file: lib/LWP/Protocol.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::cpan:
file: lib/LWP/Protocol/cpan.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::data:
file: lib/LWP/Protocol/data.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::file:
file: lib/LWP/Protocol/file.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::ftp:
file: lib/LWP/Protocol/ftp.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::gopher:
file: lib/LWP/Protocol/gopher.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::http:
file: lib/LWP/Protocol/http.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::loopback:
file: lib/LWP/Protocol/loopback.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::mailto:
file: lib/LWP/Protocol/mailto.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::nntp:
file: lib/LWP/Protocol/nntp.pm
- version: '6.82'
+ version: '6.83'
LWP::Protocol::nogo:
file: lib/LWP/Protocol/nogo.pm
- version: '6.82'
+ version: '6.83'
LWP::RobotUA:
file: lib/LWP/RobotUA.pm
- version: '6.82'
+ version: '6.83'
LWP::Simple:
file: lib/LWP/Simple.pm
- version: '6.82'
+ version: '6.83'
LWP::UserAgent:
file: lib/LWP/UserAgent.pm
- version: '6.82'
+ version: '6.83'
requires:
Digest::MD5: '0'
Encode: '2.12'
@@ -138,10 +138,10 @@
bugtracker: https://github.com/libwww-perl/libwww-perl/issues
homepage: https://github.com/libwww-perl/libwww-perl
repository: https://github.com/libwww-perl/libwww-perl.git
-version: '6.82'
+version: '6.83'
x_Dist_Zilla:
perl:
- version: '5.042000'
+ version: '5.042002'
plugins:
-
class: Dist::Zilla::Plugin::Git::GatherDir
@@ -581,7 +581,7 @@
branch: ~
changelog: Changes
signed: 0
- tag: v6.82
+ tag: v6.83
tag_format: v%V
tag_message: v%V
Dist::Zilla::Role::Git::Repo:
@@ -814,6 +814,6 @@
- 'Yury Zavarin <[email protected]>'
- 'Yves Orton <[email protected]>'
- 'Zefram <[email protected]>'
-x_generated_by_perl: v5.42.0
+x_generated_by_perl: v5.42.2
x_serialization_backend: 'YAML::Tiny version 1.76'
x_spdx_expression: 'Artistic-1.0-Perl OR GPL-1.0-or-later'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/Makefile.PL
new/libwww-perl-6.83/Makefile.PL
--- old/libwww-perl-6.82/Makefile.PL 2026-03-29 19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/Makefile.PL 2026-05-12 13:41:52.000000000 +0200
@@ -90,7 +90,7 @@
"Test::Needs" => 0,
"Test::RequiresInternet" => 0
},
- "VERSION" => "6.82",
+ "VERSION" => "6.83",
"test" => {
"TESTS" => "t/*.t t/base/*.t t/base/protocols/*.t t/leak/*.t t/local/*.t
t/robot/*.t"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Authen/Basic.pm
new/libwww-perl-6.83/lib/LWP/Authen/Basic.pm
--- old/libwww-perl-6.82/lib/LWP/Authen/Basic.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Authen/Basic.pm 2026-05-12
13:41:52.000000000 +0200
@@ -2,7 +2,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require Encode;
require MIME::Base64;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Authen/Digest.pm
new/libwww-perl-6.83/lib/LWP/Authen/Digest.pm
--- old/libwww-perl-6.82/lib/LWP/Authen/Digest.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Authen/Digest.pm 2026-05-12
13:41:52.000000000 +0200
@@ -3,7 +3,7 @@
use strict;
use parent 'LWP::Authen::Basic';
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require Digest::MD5;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Authen/Ntlm.pm
new/libwww-perl-6.83/lib/LWP/Authen/Ntlm.pm
--- old/libwww-perl-6.82/lib/LWP/Authen/Ntlm.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/Authen/Ntlm.pm 2026-05-12 13:41:52.000000000
+0200
@@ -2,7 +2,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
use Authen::NTLM "1.02";
use MIME::Base64 "2.12";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/ConnCache.pm
new/libwww-perl-6.83/lib/LWP/ConnCache.pm
--- old/libwww-perl-6.82/lib/LWP/ConnCache.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/ConnCache.pm 2026-05-12 13:41:52.000000000
+0200
@@ -2,7 +2,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
our $DEBUG;
sub new {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Debug/TraceHTTP.pm
new/libwww-perl-6.83/lib/LWP/Debug/TraceHTTP.pm
--- old/libwww-perl-6.82/lib/LWP/Debug/TraceHTTP.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Debug/TraceHTTP.pm 2026-05-12
13:41:52.000000000 +0200
@@ -11,7 +11,7 @@
use strict;
use parent 'LWP::Protocol::http';
-our $VERSION = '6.82';
+our $VERSION = '6.83';
package # hide from PAUSE
LWP::Debug::TraceHTTP::Socket;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Debug.pm
new/libwww-perl-6.83/lib/LWP/Debug.pm
--- old/libwww-perl-6.82/lib/LWP/Debug.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/Debug.pm 2026-05-12 13:41:52.000000000
+0200
@@ -1,6 +1,6 @@
package LWP::Debug; # legacy
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require Exporter;
our @ISA = qw(Exporter);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/DebugFile.pm
new/libwww-perl-6.83/lib/LWP/DebugFile.pm
--- old/libwww-perl-6.82/lib/LWP/DebugFile.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/DebugFile.pm 2026-05-12 13:41:52.000000000
+0200
@@ -1,6 +1,6 @@
package LWP::DebugFile;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
# legacy stub
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/MemberMixin.pm
new/libwww-perl-6.83/lib/LWP/MemberMixin.pm
--- old/libwww-perl-6.82/lib/LWP/MemberMixin.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/MemberMixin.pm 2026-05-12 13:41:52.000000000
+0200
@@ -1,6 +1,6 @@
package LWP::MemberMixin;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
sub _elem {
my $self = shift;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/cpan.pm
new/libwww-perl-6.83/lib/LWP/Protocol/cpan.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/cpan.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/cpan.pm 2026-05-12
13:41:52.000000000 +0200
@@ -4,7 +4,7 @@
use parent qw(LWP::Protocol);
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require URI;
require HTTP::Status;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/data.pm
new/libwww-perl-6.83/lib/LWP/Protocol/data.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/data.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/data.pm 2026-05-12
13:41:52.000000000 +0200
@@ -4,7 +4,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require HTTP::Response;
require HTTP::Status;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/file.pm
new/libwww-perl-6.83/lib/LWP/Protocol/file.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/file.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/file.pm 2026-05-12
13:41:52.000000000 +0200
@@ -4,7 +4,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require LWP::MediaTypes;
require HTTP::Request;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/ftp.pm
new/libwww-perl-6.83/lib/LWP/Protocol/ftp.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/ftp.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/ftp.pm 2026-05-12
13:41:52.000000000 +0200
@@ -5,7 +5,7 @@
use parent qw(LWP::Protocol);
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
use Carp ();
use HTTP::Status ();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/gopher.pm
new/libwww-perl-6.83/lib/LWP/Protocol/gopher.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/gopher.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/gopher.pm 2026-05-12
13:41:52.000000000 +0200
@@ -9,7 +9,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require HTTP::Response;
require HTTP::Status;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/http.pm
new/libwww-perl-6.83/lib/LWP/Protocol/http.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/http.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/http.pm 2026-05-12
13:41:52.000000000 +0200
@@ -2,7 +2,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require HTTP::Response;
require HTTP::Status;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/loopback.pm
new/libwww-perl-6.83/lib/LWP/Protocol/loopback.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/loopback.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/loopback.pm 2026-05-12
13:41:52.000000000 +0200
@@ -2,7 +2,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require HTTP::Response;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/mailto.pm
new/libwww-perl-6.83/lib/LWP/Protocol/mailto.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/mailto.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/mailto.pm 2026-05-12
13:41:52.000000000 +0200
@@ -11,7 +11,7 @@
use Carp;
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
use parent qw(LWP::Protocol);
our $SENDMAIL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/nntp.pm
new/libwww-perl-6.83/lib/LWP/Protocol/nntp.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/nntp.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/nntp.pm 2026-05-12
13:41:52.000000000 +0200
@@ -4,7 +4,7 @@
use parent qw(LWP::Protocol);
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require HTTP::Response;
require HTTP::Status;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol/nogo.pm
new/libwww-perl-6.83/lib/LWP/Protocol/nogo.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol/nogo.pm 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol/nogo.pm 2026-05-12
13:41:52.000000000 +0200
@@ -7,7 +7,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require HTTP::Response;
require HTTP::Status;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Protocol.pm
new/libwww-perl-6.83/lib/LWP/Protocol.pm
--- old/libwww-perl-6.82/lib/LWP/Protocol.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/Protocol.pm 2026-05-12 13:41:52.000000000
+0200
@@ -2,7 +2,7 @@
use parent 'LWP::MemberMixin';
-our $VERSION = '6.82';
+our $VERSION = '6.83';
use strict;
use Carp ();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/RobotUA.pm
new/libwww-perl-6.83/lib/LWP/RobotUA.pm
--- old/libwww-perl-6.82/lib/LWP/RobotUA.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/RobotUA.pm 2026-05-12 13:41:52.000000000
+0200
@@ -2,7 +2,7 @@
use parent qw(LWP::UserAgent);
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require WWW::RobotRules;
require HTTP::Request;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/Simple.pm
new/libwww-perl-6.83/lib/LWP/Simple.pm
--- old/libwww-perl-6.82/lib/LWP/Simple.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/Simple.pm 2026-05-12 13:41:52.000000000
+0200
@@ -2,7 +2,7 @@
use strict;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require Exporter;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP/UserAgent.pm
new/libwww-perl-6.83/lib/LWP/UserAgent.pm
--- old/libwww-perl-6.82/lib/LWP/UserAgent.pm 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/lib/LWP/UserAgent.pm 2026-05-12 13:41:52.000000000
+0200
@@ -18,7 +18,7 @@
use Scalar::Util qw(blessed openhandle);
use Try::Tiny qw(try catch);
-our $VERSION = '6.82';
+our $VERSION = '6.83';
sub new
{
@@ -93,6 +93,9 @@
$cookie_jar_class = 'HTTP::Cookies'
unless defined $cookie_jar_class;
+ my $allow_credentialed_redirects = delete
$cnf{allow_credentialed_redirects};
+ my $allow_downgrade = delete $cnf{allow_downgrade};
+
# Actually ""s are just as good as 0's, but for concision we'll just say:
Carp::croak("protocols_allowed has to be an arrayref or 0, not
\"$protocols_allowed\"!")
if $protocols_allowed and ref($protocols_allowed) ne 'ARRAY';
@@ -119,9 +122,11 @@
no_proxy => [ @{ $no_proxy } ],
protocols_allowed => $protocols_allowed,
protocols_forbidden => $protocols_forbidden,
- requests_redirectable => $requests_redirectable,
- send_te => $send_te,
- cookie_jar_class => $cookie_jar_class,
+ requests_redirectable => $requests_redirectable,
+ send_te => $send_te,
+ cookie_jar_class => $cookie_jar_class,
+ allow_credentialed_redirects => $allow_credentialed_redirects,
+ allow_downgrade => $allow_downgrade,
}, $class;
$self->agent(defined($agent) ? $agent : $class->_agent)
@@ -369,6 +374,42 @@
}
$referral->uri($referral_uri);
+ # Strip caller-supplied credential headers on cross-origin
+ # redirect (different scheme/host/port). Same fix shape as
+ # libcurl CVE-2018-1000007. Opt-out via
+ # allow_credentialed_redirects => 1.
+ unless ($self->{allow_credentialed_redirects}) {
+ my $orig = $request->uri;
+ my $new = $referral->uri;
+ my $orig_scheme = defined $orig->scheme ? $orig->scheme : q{};
+ my $new_scheme = defined $new->scheme ? $new->scheme : q{};
+ my $orig_host = defined $orig->host ? lc $orig->host : q{};
+ my $new_host = defined $new->host ? lc $new->host : q{};
+ my $orig_port = eval { $orig->port } || 0;
+ my $new_port = eval { $new->port } || 0;
+ if ( $orig_scheme ne $new_scheme
+ || $orig_host ne $new_host
+ || $orig_port != $new_port)
+ {
+ $referral->remove_header('Authorization',
'Proxy-Authorization');
+ }
+ }
+
+ # Refuse https->http downgrade by default. A caller who
+ # requested https reasonably expects end-to-end TLS; following
+ # a 3xx to plaintext leaks the body and remaining headers.
+ # Opt-out via allow_downgrade => 1.
+ my $orig_scheme = defined $request->uri->scheme ?
$request->uri->scheme : q{};
+ my $new_scheme = defined $referral->uri->scheme ?
$referral->uri->scheme : q{};
+ if ( $orig_scheme eq 'https'
+ && $new_scheme eq 'http'
+ && !$self->{allow_downgrade})
+ {
+ $response->header("Client-Warning" =>
+ "Refusing https->http redirect (set allow_downgrade => 1 to
opt in)");
+ return $response;
+ }
+
return $response unless $self->redirect_ok($referral, $response);
return $self->request($referral, $arg, $size, $response);
@@ -738,6 +779,8 @@
sub local_address{ shift->_elem('local_address',@_); }
sub max_size { shift->_elem('max_size', @_); }
sub max_redirect { shift->_elem('max_redirect', @_); }
+sub allow_credentialed_redirects {
shift->_elem('allow_credentialed_redirects', @_); }
+sub allow_downgrade { shift->_elem('allow_downgrade', @_); }
sub show_progress{ shift->_elem('show_progress', @_); }
sub send_te { shift->_elem('send_te', @_); }
@@ -1322,27 +1365,41 @@
Key/value pair arguments may be provided to set up the initial state.
The following options correspond to attribute methods described below:
- KEY DEFAULT
- ----------- --------------------
- agent "libwww-perl/#.###"
- conn_cache undef
- cookie_jar undef
- cookie_jar_class HTTP::Cookies
- default_headers HTTP::Headers->new
- from undef
- local_address undef
- max_redirect 7
- max_size undef
- no_proxy []
- parse_head 1
- protocols_allowed undef
- protocols_forbidden undef
- proxy {}
- requests_redirectable ['GET', 'HEAD']
- send_te 1
- show_progress undef
- ssl_opts { verify_hostname => 1 }
- timeout 180
+ KEY DEFAULT
+ --------------------------- --------------------
+ agent "libwww-perl/#.###"
+ allow_credentialed_redirects undef
+ allow_downgrade undef
+ conn_cache undef
+ cookie_jar undef
+ cookie_jar_class HTTP::Cookies
+ default_headers HTTP::Headers->new
+ from undef
+ local_address undef
+ max_redirect 7
+ max_size undef
+ no_proxy []
+ parse_head 1
+ protocols_allowed undef
+ protocols_forbidden undef
+ proxy {}
+ requests_redirectable ['GET', 'HEAD']
+ send_te 1
+ show_progress undef
+ ssl_opts { verify_hostname => 1 }
+ timeout 180
+
+When following a 3xx redirect to a different origin (a different
+scheme, host, or port), L<LWP::UserAgent> strips C<Authorization>
+and C<Proxy-Authorization> from the cloned request to avoid leaking
+caller-supplied credentials to the redirect target. Set
+C<allow_credentialed_redirects> to a true value to opt out and
+forward these headers across origins.
+
+A 3xx redirect that downgrades an C<https> request to plain C<http>
+is refused by default; the original response is returned with a
+C<Client-Warning> header explaining the refusal. Set C<allow_downgrade>
+to a true value to opt in to following such redirects.
The following additional options are also accepted: If the C<env_proxy> option
is passed in with a true value, then proxy settings are read from environment
@@ -1386,6 +1443,30 @@
The user agent string should be one or more simple product identifiers
with an optional version number separated by the C</> character.
+=head2 allow_credentialed_redirects
+
+ my $allow = $ua->allow_credentialed_redirects;
+ $ua->allow_credentialed_redirects( 1 );
+
+Get/set whether caller-supplied C<Authorization> and C<Proxy-Authorization>
+headers are forwarded across cross-origin 3xx redirects (a different scheme,
+host, or port). Defaults to a false value, meaning the headers are stripped
+on cross-origin redirects to avoid leaking credentials to the redirect target.
+Same-origin redirects always retain these headers.
+
+=head2 allow_downgrade
+
+ my $allow = $ua->allow_downgrade;
+ $ua->allow_downgrade( 1 );
+
+Get/set whether a 3xx redirect from an C<https> request to a plain
+C<http> URL is followed. Defaults to a false value, meaning such
+redirects are refused; the original response is returned with a
+C<Client-Warning> header. Set to a true value to opt in to following
+the redirect. Note that even when C<allow_downgrade> is true,
+cross-origin credential stripping still applies (see
+L</allow_credentialed_redirects>).
+
=head2 conn_cache
my $cache_obj = $ua->conn_cache;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/lib/LWP.pm
new/libwww-perl-6.83/lib/LWP.pm
--- old/libwww-perl-6.82/lib/LWP.pm 2026-03-29 19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/lib/LWP.pm 2026-05-12 13:41:52.000000000 +0200
@@ -1,6 +1,6 @@
package LWP;
-our $VERSION = '6.82';
+our $VERSION = '6.83';
require LWP::UserAgent; # this should load everything you need
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/t/redirect-credential-leak.t
new/libwww-perl-6.83/t/redirect-credential-leak.t
--- old/libwww-perl-6.82/t/redirect-credential-leak.t 1970-01-01
01:00:00.000000000 +0100
+++ new/libwww-perl-6.83/t/redirect-credential-leak.t 2026-05-12
13:41:52.000000000 +0200
@@ -0,0 +1,232 @@
+use strict;
+use warnings;
+
+# Regression test for CVE-2026-8368 — LWP::UserAgent cross-origin
+# redirect credential leak and related https->http downgrade hardening.
+
+use Test::More;
+use HTTP::Request ();
+use HTTP::Response ();
+
+{
+ package Test::CapturingUA;
+ use parent 'LWP::UserAgent';
+
+ sub new {
+ my ($class, %opts) = @_;
+ my $responses = delete $opts{_responses} || [];
+ my $self = $class->SUPER::new(%opts);
+ $self->{_responses} = $responses;
+ $self->{_requests} = [];
+ return $self;
+ }
+
+ sub simple_request {
+ my ($self, $req) = @_;
+ push @{ $self->{_requests} }, $req->clone;
+ my $resp = shift @{ $self->{_responses} }
+ || HTTP::Response->new(500, 'no canned response');
+ $resp->request($req);
+ return $resp;
+ }
+}
+
+sub make_redirect {
+ my ($location) = @_;
+ my $r = HTTP::Response->new(302, 'Found');
+ $r->header(Location => $location);
+ return $r;
+}
+
+sub make_ok {
+ my $r = HTTP::Response->new(200, 'OK');
+ $r->content('done');
+ return $r;
+}
+
+sub build_request {
+ my ($url) = @_;
+ my $req = HTTP::Request->new(GET => $url);
+ $req->header('Authorization' => 'Bearer s3cr3t');
+ $req->header('Proxy-Authorization' => 'Basic cHJveHk6c2VjcmV0');
+ return $req;
+}
+
+subtest 'scaffold: single request returns canned 200' => sub {
+ my $ua = Test::CapturingUA->new(_responses => [make_ok()]);
+ my $res = $ua->request(build_request('http://example/'));
+ is($res->code, 200, 'got 200');
+ is(scalar @{ $ua->{_requests} }, 1, 'one request captured');
+};
+
+subtest 'cross-host redirect strips Authorization + Proxy-Authorization' =>
sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://attacker.example/loot'),
+ make_ok(),
+ ],
+ );
+ my $res = $ua->request(build_request('http://victim.example/profile'));
+
+ is(scalar @{ $ua->{_requests} }, 2, 'two requests issued');
+ my $followup = $ua->{_requests}->[1];
+ is($followup->uri, 'http://attacker.example/loot', 'followup hit redirect
target');
+ is($followup->header('Authorization'), undef, 'Authorization
stripped cross-host');
+ is($followup->header('Proxy-Authorization'), undef, 'Proxy-Authorization
stripped cross-host');
+ is($res->code, 200, 'final response is 200');
+};
+
+subtest 'different port counts as cross-origin' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://victim.example:8080/x'),
+ make_ok(),
+ ],
+ );
+ $ua->request(build_request('http://victim.example/profile'));
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), undef, 'Authorization
stripped on port change');
+ is($followup->header('Proxy-Authorization'), undef, 'Proxy-Authorization
stripped on port change');
+};
+
+subtest 'different scheme counts as cross-origin' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('https://victim.example/profile'),
+ make_ok(),
+ ],
+ );
+ $ua->request(build_request('http://victim.example/profile'));
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), undef, 'Authorization
stripped on scheme change');
+ is($followup->header('Proxy-Authorization'), undef, 'Proxy-Authorization
stripped on scheme change');
+};
+
+subtest 'constructor accepts allow_credentialed_redirects under -w' => sub {
+ local $SIG{__WARN__} = sub { fail("unexpected warning: $_[0]") };
+ local $^W = 1;
+ my $ua = LWP::UserAgent->new(allow_credentialed_redirects => 1);
+ pass('constructor accepted allow_credentialed_redirects without warnings');
+ is($ua->{allow_credentialed_redirects}, 1, 'allow_credentialed_redirects
stored');
+ is($ua->allow_credentialed_redirects, 1, 'accessor reads stored value');
+};
+
+subtest 'same-origin redirect keeps credential headers' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://victim.example/profile/new'),
+ make_ok(),
+ ],
+ );
+ $ua->request(build_request('http://victim.example/profile'));
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), 'Bearer s3cr3t',
+ 'Authorization preserved same-origin');
+ is($followup->header('Proxy-Authorization'), 'Basic cHJveHk6c2VjcmV0',
+ 'Proxy-Authorization preserved same-origin');
+};
+
+subtest 'host comparison is case-insensitive' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://VICTIM.example/profile/new'),
+ make_ok(),
+ ],
+ );
+ $ua->request(build_request('http://victim.example/profile'));
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), 'Bearer s3cr3t',
+ 'Authorization preserved when host differs only in case');
+};
+
+subtest 'default-port normalization treats http://h/ and http://h:80/ as same
origin' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://victim.example:80/profile/new'),
+ make_ok(),
+ ],
+ );
+ $ua->request(build_request('http://victim.example/profile'));
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), 'Bearer s3cr3t',
+ 'Authorization preserved when explicit port matches default');
+};
+
+subtest 'allow_credentialed_redirects opt-out via constructor' => sub {
+ my $ua = Test::CapturingUA->new(
+ allow_credentialed_redirects => 1,
+ _responses => [
+ make_redirect('http://attacker.example/loot'),
+ make_ok(),
+ ],
+ );
+ $ua->request(build_request('http://victim.example/profile'));
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), 'Bearer s3cr3t',
+ 'Authorization forwarded when allow_credentialed_redirects is true');
+};
+
+subtest 'allow_credentialed_redirects opt-out via accessor' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://attacker.example/loot'),
+ make_ok(),
+ ],
+ );
+ $ua->allow_credentialed_redirects(1);
+ $ua->request(build_request('http://victim.example/profile'));
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), 'Bearer s3cr3t',
+ 'Authorization forwarded after $ua->allow_credentialed_redirects(1)');
+};
+
+subtest 'https -> http downgrade is refused' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://victim.example/profile'),
+ make_ok(),
+ ],
+ );
+ my $res = $ua->request(build_request('https://victim.example/profile'));
+
+ is(scalar @{ $ua->{_requests} }, 1, 'follow-up request was NOT issued');
+ is($res->code, 302, 'returned the original 302 response');
+ like(
+ $res->header('Client-Warning'),
+ qr/Refusing https->http redirect/,
+ 'Client-Warning explains the refusal'
+ );
+};
+
+subtest 'allow_downgrade opts in to https -> http (constructor)' => sub {
+ my $ua = Test::CapturingUA->new(
+ allow_downgrade => 1,
+ _responses => [
+ make_redirect('http://victim.example/profile'),
+ make_ok(),
+ ],
+ );
+ my $res = $ua->request(build_request('https://victim.example/profile'));
+
+ is(scalar @{ $ua->{_requests} }, 2, 'follow-up request was issued');
+ is($res->code, 200, 'final response is 200 OK');
+ my $followup = $ua->{_requests}->[1];
+ is($followup->header('Authorization'), undef,
+ 'Authorization still stripped (scheme change is cross-origin)');
+};
+
+subtest 'allow_downgrade opts in to https -> http (accessor)' => sub {
+ my $ua = Test::CapturingUA->new(
+ _responses => [
+ make_redirect('http://victim.example/profile'),
+ make_ok(),
+ ],
+ );
+ $ua->allow_downgrade(1);
+ my $res = $ua->request(build_request('https://victim.example/profile'));
+
+ is(scalar @{ $ua->{_requests} }, 2, 'follow-up issued after accessor set');
+ is($res->code, 200, 'final response is 200 OK');
+};
+
+done_testing;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libwww-perl-6.82/xt/author/eol.t
new/libwww-perl-6.83/xt/author/eol.t
--- old/libwww-perl-6.82/xt/author/eol.t 2026-03-29 19:02:14.000000000
+0200
+++ new/libwww-perl-6.83/xt/author/eol.t 2026-05-12 13:41:52.000000000
+0200
@@ -54,6 +54,7 @@
't/local/http.t',
't/local/httpsub.t',
't/local/protosub.t',
+ 't/redirect-credential-leak.t',
't/redirect.t',
't/robot/ua-get.t',
't/robot/ua.t'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/libwww-perl-6.82/xt/author/live/jigsaw/redirect-post.t
new/libwww-perl-6.83/xt/author/live/jigsaw/redirect-post.t
--- old/libwww-perl-6.82/xt/author/live/jigsaw/redirect-post.t 2026-03-29
19:02:14.000000000 +0200
+++ new/libwww-perl-6.83/xt/author/live/jigsaw/redirect-post.t 2026-05-12
13:41:52.000000000 +0200
@@ -10,7 +10,8 @@
plan tests => 10;
-my $ua = LWP::UserAgent->new(keep_alive => 1);
+# jigsaw redirects via https->http; opt in to follow the chain.
+my $ua = LWP::UserAgent->new(keep_alive => 1, allow_downgrade => 1);
my $data = {foo => 'bar', baz => 'quux'};
my $encoded_data = encode_utf8(encode_json($data));
