From 38d736fcba105c66e34e8e19d4db31aea3982cb3 Mon Sep 17 00:00:00 2001
From: afresh1 <afresh1@openbsd.org>
Date: Tue, 9 Jun 2026 01:36:51 +0000
Subject: [PATCH] Upstream patch for HTTP-Tiny perl dist

* CVE-2026-7010
    https://lists.security.metacpan.org/cve-announce/msg/39952806/
    HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in
    HTTP request lines or control field header values
---
 gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
index 6ce4e044bb6..35d230b7281 100644
--- a/gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+++ b/gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
@@ -1381,6 +1381,8 @@ sub write_header_lines {
         my $field_name = $HeaderCase{$k};
         my $v = $headers->{$k};
         for (ref $v eq 'ARRAY' ? @$v : $v) {
+            die(qq/Invalid HTTP header field value ($field_name): / . $Printable->($_). "\n")
+              unless $_ eq '' || /\A $Field_Content \z/xo;
             $_ = '' unless defined $_;
             $buf .= "$field_name: $_\x0D\x0A";
         }
@@ -1572,6 +1574,12 @@ sub write_request_header {
     @_ == 5 || die(q/Usage: $handle->write_request_header(method, request_uri, headers, header_case)/ . "\n");
     my ($self, $method, $request_uri, $headers, $header_case) = @_;
 
+    die (q/Invalid characters in Request-URI /. $Printable->($request_uri). "\n")
+      if $request_uri =~ /[\x00-\x20\x7F]/;
+
+    die (q/Invalid characters in Method /. $Printable->($method). "\n")
+      if $method =~ /[\x00-\x20\x7F]/;
+
     return $self->write_header_lines($headers, $header_case, "$method $request_uri HTTP/1.1\x0D\x0A");
 }