May 20th, 2005

belize

LWPx::ParanoidAgent

I just uploaded LWPx-ParanoidAgent-1.00 to CPAN. Props to mart for finding even more things to be paranoid about.

For example, go to the OpenID demo page:
http://www.danga.com/openid/demo/demo.html

And try to validate some of these:
http://localhost-fortest.danga.com/ (resolves to localhost)
http://1117130646/ (livejournal)
http://kumquat.s8n.me.uk/ (resolves to 192.168.2.1)
http://0177.0.0.1/ (localhost)

The paranoid useragent will slap 'em all down. Including if people did a valid webserver which redirected to a hostname which resolved to a CNAME which resolved to an internal address... with every step of the CNAMEs and addresses being checked.

I wonder what PHP's default "filename can be a URL" does about this problem. But PHP cares so much about security, I guess. :-)