Package: libpandoc-wrapper-perl
Severity: important
Dear maintainer,
Your package uses the Perl module HTTP::Tiny to access the secure URL
https://api.github.com/repos/jgm/pandoc/releases/tags/$version
but it does not set the verify_SSL attribute to a true value.
By default, the module HTTP::Tiny does not validate the identity of
server certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]
As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]
I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see the
useless and dangerous default by running the script at the end of this
message.
Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Kind regards
Felix Lechner
[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68
* * *
#!/usr/bin/perl
use HTTP::Tiny;
my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
