Brad Fitzpatrick (brad) wrote,
Brad Fitzpatrick
brad

LWPx::ParanoidAgent

I just uploaded LWPx-ParanoidAgent-1.00 to CPAN. Props to mart for finding even more things to be paranoid about.

For example, go to the OpenID demo page:
http://www.danga.com/openid/demo/demo.html

And try to validate some of these:
http://localhost-fortest.danga.com/ (resolves to localhost)
http://1117130646/ (livejournal)
http://kumquat.s8n.me.uk/ (resolves to 192.168.2.1)
http://0177.0.0.1/ (localhost)

The paranoid useragent will slap 'em all down. Including if people did a valid webserver which redirected to a hostname which resolved to a CNAME which resolved to an internal address... with every step of the CNAMEs and addresses being checked.

I wonder what PHP's default "filename can be a URL" does about this problem. But PHP cares so much about security, I guess. :-)
Tags: openid, tech
Subscribe

  • Doing Hos is Hard Work

    Etch-a-Sketch doesn't involve much hill climbing. GPS-a-Sketch in San Francisco does, however: Merry Christmas from me and…

  • Adventurous Weekend

    Before I fall asleep, I'll try to recap the awesomeness that was this weekend. Friday: -- kinda short day at work, due to floor…

  • Bike Route

    A fellow biker last Friday recorded our ride to work: our ride.

  • Post a new comment

    Error

    switch
    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
    Help
  • 7 comments