On systems with case insensitive environment variables there exists a name clash between the CGI environment variables and the HTTP_PROXY environment variable normally picked up by env_proxy(). Because of this HTTP_PROXY is not honored for CGI scripts. The CGI_HTTP_PROXY environment variable can be used instead. 2001-03-14 Gisle Aas Release 5.51 SECURITY FIX: If LWP::UserAgent::env_proxy is called in a CGI environment, the case-insensitivity when looking for "http_proxy" permits "HTTP_PROXY" to be found, but this can be trivially set by the web client using the "Proxy:" header. The fix applied is that $ENV{HTTP_PROXY} is not longer honored for CGI scripts. The CGI_HTTP_PROXY environment variable can be used instead. Problem reported by Randal L. Schwartz. sub env_proxy { my ($self) = @_; my($k,$v); while(($k, $v) = each %ENV) { if ($ENV{REQUEST_METHOD}) { # Need to be careful when called in the CGI environment, as # the HTTP_PROXY variable is under control of that other guy. next if $k =~ /^HTTP_/; $k = "HTTP_PROXY" if $k eq "CGI_HTTP_PROXY"; } $k = lc($k); next unless $k =~ /^(.*)_proxy$/; $k = $1; if ($k eq 'no') { $self->no_proxy(split(/\s*,\s*/, $v)); } else { $self->proxy($k, $v); } } }