?

Log in

No account? Create an account
brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

LWPx::ParanoidAgent [May. 20th, 2005|10:31 pm]
Brad Fitzpatrick
[Tags|, ]

I just uploaded LWPx-ParanoidAgent-1.00 to CPAN. Props to mart for finding even more things to be paranoid about.

For example, go to the OpenID demo page:
http://www.danga.com/openid/demo/demo.html

And try to validate some of these:
http://localhost-fortest.danga.com/ (resolves to localhost)
http://1117130646/ (livejournal)
http://kumquat.s8n.me.uk/ (resolves to 192.168.2.1)
http://0177.0.0.1/ (localhost)

The paranoid useragent will slap 'em all down. Including if people did a valid webserver which redirected to a hostname which resolved to a CNAME which resolved to an internal address... with every step of the CNAMEs and addresses being checked.

I wonder what PHP's default "filename can be a URL" does about this problem. But PHP cares so much about security, I guess. :-)
LinkReply

Comments:
[User Picture]From: scsi
2005-05-21 05:55 am (UTC)
PHP is totally about security!!

What? What about phpbb? I dont know what you're talking about??
(Reply) (Thread)
(Deleted comment)
[User Picture]From: brad
2005-05-21 06:38 am (UTC)
Language has a lot to do with it. Both functionality and community/culture. There are more buffer overflows with C code than Java. The PHP community is more newbie than, say, the Ruby community.
(Reply) (Parent) (Thread)
(Deleted comment)
From: evan
2005-05-21 09:25 pm (UTC)
These look like real security problems in the language. (Unless you define "functions can do arbitrary things with weird inputs" as part of the language. This is certainly the case in C, but I don't think that's within any programmer's mental model with these higher-level languages.)
(Reply) (Parent) (Thread)
[User Picture]From: mart
2005-05-22 12:22 am (UTC)

Agreed. I don't even consider buffer overflows when writing PHP and Perl: I write with the assumption that the language and core libraries are perfect. You could argue that I should be more paranoid, but then I'd argue that it makes all high level languages a sham.

When I write in C, of course, I'm constantly thinking about memory-related issues because C doesn't attempt to abstract these issues away.

(Reply) (Parent) (Thread)
(Deleted comment)
From: jamesd
2005-05-21 04:32 pm (UTC)
Mediawiki has issues from time to time but security things are cleaned up fast, in part because of the really high profile test site.

I expect a security pro could find at least ten issues if they went looking - question of time to find rather than whether they are there or not. If any security pros read this, give it a try and let me know time to find ten and their details - and we'll promptly fix them, of course.

Not surprising that Brad and co are being paranoid, given their own high profile test site.:) Good to see it.
(Reply) (Parent) (Thread)
[User Picture]From: mart
2005-05-21 08:31 am (UTC)

As far as I know, PHP's HTTP fopen wrapper doesn't care about any of this stuff. It's provided as a quick shortcut, but you're supposed to do it properly if it matters to you. (No-one ever does, but that's PHP programmers for you.)

PHP also has a limit on how long a script can run in total, which serves a similar purpose to the timeout in ParanoidAgent when it comes to tarpitting servers.

(Reply) (Thread)
From: plix
2005-05-21 09:54 pm (UTC)
I can't speak for the built-in fopen wrappers, but cURL (which has PHP bindings) supports at least the timeout and tarpitting. I haven't checked to see what options are available to restrict connecting to reserved IP blocks, though I'm fairly sure that those could be resolved and checked by using the dns_get_record function.

See here (specifically the options CURLOPT_MAXREDIRS and CURLOPT_TIMEOUT).

I'm not going to get into a religious language war since I agree with most everyone here about the caliber of most PHP programmers out there, but remember that there are exceptions. Besides MediaWiki, I'd also point to anything Horde has done as an example of extremely high-quality PHP.
(Reply) (Parent) (Thread)