Skip Menu |

This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id: 130819
Status: open
Priority: 0/
Queue: CPAN

People
Owner: Nobody in particular
Requestors: vincent [...] vinc17.net
Cc: gregoa [...] cpan.org
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: default urllist config is insecure
Date: Fri, 25 Oct 2019 14:39:00 +0200
To: bug-CPAN [...] rt.cpan.org
From: Vincent Lefevre <vincent [...] vinc17.net>
CPAN/FirstTime.pm 5.5314 from CPAN 2.27[*] contains: if ($auto_config) { if(@{ $CPAN::Config->{urllist} }) { $CPAN::Frontend->myprint( "Your 'urllist' is already configured. Type 'o conf init urllist' to change it.\n" ); } else { $CPAN::Config->{urllist} = [ 'http://www.cpan.org/' ]; } } [*] https://metacpan.org/source/ANDK/CPAN-2.27/lib/CPAN/FirstTime.pm http://www.cpan.org/ is insecure. https://www.cpan.org/ (i.e. with https) should be used instead. Note: This is important, as the only current way to ensure security is to check CHECKSUMS, but this file is downloaded via urllist. Using http instead of https allows MITM attacks. Note: my Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942851 -- Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
On Fri Oct 25 08:44:53 2019, vincent@vinc17.net wrote: Show quoted text
> CPAN/FirstTime.pm 5.5314 from CPAN 2.27[*] contains: > > if ($auto_config) { > if(@{ $CPAN::Config->{urllist} }) { > $CPAN::Frontend->myprint( > "Your 'urllist' is already configured. Type 'o conf init > urllist' to change it.\n" > ); > } > else { > $CPAN::Config->{urllist} = [ 'http://www.cpan.org/' ]; > } > } > > [*] https://metacpan.org/source/ANDK/CPAN-2.27/lib/CPAN/FirstTime.pm > > http://www.cpan.org/ is insecure. > https://www.cpan.org/ (i.e. with https) should be used instead. > > Note: This is important, as the only current way to ensure security > is to check CHECKSUMS, but this file is downloaded via urllist. > Using http instead of https allows MITM attacks. > > Note: my Debian bug report: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942851
I'd love to see this happen. I've put together a pull request for CPAN that adds HTTPS support. It has languished for two years. https://github.com/andk/cpanpm/pull/119