fixed a security bug introduced in 3.13.0 version that lead the HTTP built-in server to bypass Basic Authentication when the option 'hosts_deny' is not defined #309

Author: mikaku

lib/HTTPServer.pm

@@ -139,6 +139,10 @@ sub http_header {
 		# check if the IP address is forced to auth
 		my $denied;
 		my $allowed = ip_validity($ENV{REMOTE_ADDR}, $hosts_allow);
+
+		# specific behavior
+		$hosts_deny = "all" if !$hosts_deny;
+
 		$denied = ip_validity($ENV{REMOTE_ADDR}, $hosts_deny) if !$allowed;
 		if(!$allowed && $denied) {
 			my (undef, $encoded_str) = split(' ', $ENV{HTTP_AUTHORIZATION} || "");