May 20th, 2005



I just uploaded LWPx-ParanoidAgent-1.00 to CPAN. Props to mart for finding even more things to be paranoid about.

For example, go to the OpenID demo page:

And try to validate some of these: (resolves to localhost)
http://1117130646/ (livejournal) (resolves to
http://0177.0.0.1/ (localhost)

The paranoid useragent will slap 'em all down. Including if people did a valid webserver which redirected to a hostname which resolved to a CNAME which resolved to an internal address... with every step of the CNAMEs and addresses being checked.

I wonder what PHP's default "filename can be a URL" does about this problem. But PHP cares so much about security, I guess. :-)