diff options
author | Simon McVittie <smcv@debian.org> | 2019-02-10 16:56:41 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2019-02-26 22:21:31 +0000 |
commit | 9a275b2f1846d7268c71a740975447e269383849 (patch) | |
tree | 0c832065045c67438ede85f237b93f77b74ecd2b /doc/plugins/openid.mdwn | |
parent | d283e4ca1aeb6ca8cc0951c8495f778071076013 (diff) | |
download | ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar.gz |
doc: Document security issues involving LWP::UserAgent
Recommend the LWPx::ParanoidAgent module where appropriate.
It is particularly important for openid, since unauthenticated users
can control which URLs that plugin will contact. Conversely, it is
non-critical for blogspam, since the URL to be contacted is under
the wiki administrator's control.
Signed-off-by: Simon McVittie <smcv@debian.org>
Diffstat (limited to 'doc/plugins/openid.mdwn')
-rw-r--r-- | doc/plugins/openid.mdwn | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/plugins/openid.mdwn b/doc/plugins/openid.mdwn index 4c8e0d381..a061cb43f 100644 --- a/doc/plugins/openid.mdwn +++ b/doc/plugins/openid.mdwn @@ -7,8 +7,11 @@ into the wiki. The plugin needs the [[!cpan Net::OpenID::Consumer]] perl module. Version 1.x is needed in order for OpenID v2 to work. -The [[!cpan LWPx::ParanoidAgent]] perl module is used if available, for -added security. Finally, the [[!cpan Crypt::SSLeay]] perl module is needed +The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended. +The [[!cpan LWP]] module can also be used, but is susceptible to +server-side request forgery. + +The [[!cpan Crypt::SSLeay]] Perl module is needed to support users entering "https" OpenID urls. This plugin is enabled by default, but can be turned off if you want to |