HTTP-Tiny
view release on metacpan or search on metacpan
Release notes for HTTP-Tiny
0.096 2026-06-08 11:21:49+02:00 Europe/Brussels
- No changes from 0.095-TRIAL
0.095 2026-06-03 13:10:05+02:00 Europe/Brussels (TRIAL RELEASE)
[!!! SECURITY !!!]
- Caller-supplied C<Authorization>, C<Cookie>, and C<Proxy-Authorization>
headers are now stripped on cross-origin redirects by default. Use
allow_credentialed_redirects to opt out.
- Redirects are no longer automatically followed when going from https to http.
Use allow_downgrade to revert to the original behaviour.
0.094 2026-05-17 10:31:00+02:00 Europe/Brussels
- No changes from 0.093-TRIAL
0.093 2026-05-11 17:18:12+02:00 Europe/Brussels (TRIAL RELEASE)
- fix to prevent invalid characters in all headers, and prevent header
smuggling (CVE-2026-7010)
0.092 2025-12-27 20:49:41+01:00 Europe/Berlin
- No changes from 0.091-TRIAL
0.091 2025-12-13 06:26:51+01:00 Europe/Brussels (TRIAL RELEASE)
[ADDED]
- Added keep_alive_timeout to force keepalive connections to be closed
based on a timeout.
[CHANGED]
- Optional tests are always required when releasing.
- Always use TCP_NODELAY option.
[FIXED]
- Fixed test incorrectly testing cookie jar interactions multiple times.
- Fixed perl version comparisons to work when not starting with 5.
- Fixed link to LIMITATIONS in documentation.
0.090 2024-11-12 11:51:32+01:00 Europe/Brussels
- No changes from 0.089-TRIAL
0.089 2024-10-21 09:35:48+02:00 Europe/Brussels (TRIAL RELEASE)
[CHANGED]
- Find the certificate bundle via IO::Socket::SSL rather than implementing
it in HTTP::Tiny.
- When encoding form data, given a hashref with an arrayref value,
preserve the order of the values in the arrayref rather than sorting.
[DOCS]
- Fixed internal link to "TLS/SSL SUPPORT" section
0.088 2023-07-11 08:52:54-04:00 America/New_York
[DOCS]
- Update metadata to point to new Perl-Toolchain-Gang repository.
0.086 2023-06-22 10:06:37-04:00 America/New_York
[FIXED]
- Fix code to use `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` as documented.
0.084 2023-06-14 06:35:01-04:00 America/New_York
- No changes from 0.083-TRIAL.
0.083 2023-06-11 07:05:45-04:00 America/New_York (TRIAL RELEASE)
[!!! SECURITY !!!]
- Changes the `verify_SSL` default parameter from `0` to `1`.
Fixes CVE-2023-31486.
- `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` can be used to restore the
old default if required.
0.061 2016-08-05 12:10:19-04:00 America/New_York (TRIAL RELEASE)
[FIXED]
- Avoid overwriting 'If-Modified-Since' header in mirror() if
the header already exists in something other than lower-case.
[TESTS]
- Normalize CRLF when reading test data files in t\150-post_form.t
on Win32
0.059 2016-07-29 16:10:32-04:00 America/New_York (TRIAL RELEASE)
[FIXED]
- Timeout can now be set as a constructor argument again.
- CVE-2016-1238: avoid loading optional modules from
@INC path with `.` at the end.
[TESTS]
- Updated tests for a future perl which may omit `.` from
the list of directories in @INC by default.
0.058 2016-05-03 11:29:57-04:00 America/New_York
- No changes from 0.057
0.057 2016-04-18 10:17:00-04:00 America/New_York (TRIAL RELEASE)
[ADDED]
- Added support for the SSL_CERT_FILE environment variable.
- Added 'peer' attribute to force a connection to a particular
server.
- Added 'connected' method to allow introspection of persistent
connections.
- An array reference of redirection result hash references is included
in the final response hash reference (but only if redirects occur).
[CHANGED]
- Because folded headers are obsoleted in the revised RFCs, if CRLF is
found in header values followed by one or more spaces, they are all
replaced by a single space.
[FIXED]
- Per the RFC, control headers are now sent first before other headers
(which are sent in arbitrary order).
- Only well-known headers have their case canonicalized; all other
headers are sent in the case provided by the user.
- The 'keep_alive' option now also sets the SO_KEEPALIVE option
on the underlying socket to help with long-lived, idle connections.
- Request header field values are now validated against the RFC rules
(i.e. empty or else space-or-tab separated tokens of printable
characters).
0.056 2015-05-19 06:00:40-04:00 America/New_York
- No changes from 0.055
0.055 2015-05-07 18:13:41-04:00 America/New_York (TRIAL RELEASE)
[ADDED]
- Added 'can_ssl' method to detect SSL support before trying and
failing with a fatal exception.
- Added support for 308 redirects
[FIXED]
- When specifying a custom CA file, if that file is missing or
unreadable, HTTP::Tiny will no longer fall back to a default CA
[DOCUMENTED]
- Noted units are bytes for max_size
0.054 2015-01-27 07:18:19-05:00 America/New_York
[ADDED]
- Added more fallback paths to find CA files (thanks golang)
[DOCUMENTED]
- Fixed a typo
0.053 2014-12-11 23:42:17-05:00 America/New_York
[FIXED]
- Defended tests against HTTP_PROXY set in the environment
0.052 2014-12-11 15:23:54-05:00 America/New_York
[CHANGED]
- Proxy allowed from environment variable HTTP_PROXY (uppercase) unless
REQUEST_METHOD is also set.
0.051 2014-11-17 22:58:44-05:00 America/New_York
[FIXED]
- Checks for threads without loading threads.pm
0.050 2014-09-23 15:30:18-04:00 America/New_York
[FIXED]
- Fixed CONNECT requests for some proxies
0.049 2014-09-02 11:20:07-04:00 America/New_York
[FIXED]
- 'keep_alive' is now fork-safe and thread-safe
0.048 2014-08-21 13:19:51-04:00 America/New_York
[FIXED]
- Protected proxy tests from ALL_PROXY in the environment
0.047 2014-07-29 14:09:05-04:00 America/New_York
[CHANGED]
- Updated Mozilla::CA module recommendation version to 20130114
[FIXED]
- Fixed t/00-report-prereqs.t when CPAN::Meta is not installed
0.046 2014-07-21 10:32:32-04:00 America/New_York
[FIXED]
- Empty header fields are now allowed; headers with the 'undef' value
will be rendered as an empty header.
[DOCUMENTED]
- Updated HTTP/1.1 spec description from RFC 2616 to RFC 7230-7235
0.045 2014-07-19 23:17:28-04:00 America/New_York (TRIAL RELEASE)
[FIXED]
- Fixed t/002_croakage.t for various operating systems.
0.044 2014-07-16 23:46:09-04:00 America/New_York
[CHANGED]
- Providing a custom 'Host' header is now a fatal exception. Previously, it
was silently ignored, as the RFC mandates that Host be set from the
URL, but ignoring it could lead to unexpected, confusing errors.
- optimized URL splitting
- Passing 'undef' for any proxy attribute will prevent HTTP::Tiny from
setting the proxy from the environment.
0.043 2014-02-20 20:40:23-05:00 America/New_York
[FIXED]
- Does not send absolute request URI when tunneling SSL via proxy
- Fixes regression in setting host name to verify SSL
- Protects tests from https_proxy and all_proxy when doing mock testing
0.042 2014-02-18 11:23:17EST-0500 America/New_York
[ADDED]
- If IO::Socket::IP 0.25+ is installed, HTTP::Tiny will use it for
transparent IPv4 or IPv6 support.
0.041 2014-02-17 13:07:54-05:00 America/New_York
[no code change, only an amended Changes file]
[INCOMPATIBLE CHANGES (from 0.039)]
- The 'proxy' attribute no longer takes precedence over the
'http_proxy' environment variable. With the addition of http_proxy
and https_proxy attributes (and corresponding environment variable
defaults), the legacy 'proxy' attribute now maps to the
all_proxy/ALL_PROXY environment variable and only takes effect when
other proxy attributes are not defined.
[ADDED (since 0.039)]
- Added 'keep_alive' attribute for single-server persistent connections
(Clinton Gormley)
- Added support for Basic authorization with proxies
- Added support for https proxies via CONNECT
[FIXED (since 0.039)]
- Requests are made with one less write for lower latency (Martin
Evans)
0.040 2014-02-17 13:02:47-05:00 America/New_York
[INCOMPATIBLE CHANGES]
- The 'proxy' attribute no longer takes precedence over the
'http_proxy' environment variable. With the addition of http_proxy
and https_proxy attributes (and corresponding environment variable
defaults), the legacy 'proxy' attribute now maps to the
all_proxy/ALL_PROXY environment variable and only takes effect when
other proxy attributes are not defined.
[ADDED]
- Added support for Basic authorization with proxies
- Added support for https proxies via CONNECT
0.039 2013-11-27 19:48:29 America/New_York
[FIXED]
- Temporary file creating during mirror() is now opened with O_EXCL
for added security
0.038 2013-11-18 12:56:26 America/New_York
[FIXED]
- Fixed a bug where authentication parameters in the URL would override
an existing Authorization header
0.037 2013-10-28 13:26:21 America/New_York
[FIXED]
- Basic authentication in the URL is now unescaped before being encoded
into the authentication header
[DOCUMENTED]
- Added HTTP::Tiny::UA to SEE ALSO and suggested it as the appropriate
place for new features
0.036 2013-09-25 12:10:06 America/New_York
[FIXED]
- Compile test could hang on Windows
( run in 1.568 second using v1.01-cache-2.11-cpan-71847e10f99 )