diff options
author | Simon McVittie <smcv@debian.org> | 2019-02-10 16:56:41 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2019-02-26 22:21:31 +0000 |
commit | 9a275b2f1846d7268c71a740975447e269383849 (patch) | |
tree | 0c832065045c67438ede85f237b93f77b74ecd2b /doc/plugins/pinger.mdwn | |
parent | d283e4ca1aeb6ca8cc0951c8495f778071076013 (diff) | |
download | ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar.gz |
doc: Document security issues involving LWP::UserAgent
Recommend the LWPx::ParanoidAgent module where appropriate.
It is particularly important for openid, since unauthenticated users
can control which URLs that plugin will contact. Conversely, it is
non-critical for blogspam, since the URL to be contacted is under
the wiki administrator's control.
Signed-off-by: Simon McVittie <smcv@debian.org>
Diffstat (limited to 'doc/plugins/pinger.mdwn')
-rw-r--r-- | doc/plugins/pinger.mdwn | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/doc/plugins/pinger.mdwn b/doc/plugins/pinger.mdwn index 00d83e1bb..f37979ac6 100644 --- a/doc/plugins/pinger.mdwn +++ b/doc/plugins/pinger.mdwn @@ -10,9 +10,11 @@ can be kept up-to-date. To configure what URLs to ping, use the [[ikiwiki/directive/ping]] [[ikiwiki/directive]]. -The [[!cpan LWP]] perl module is used for pinging. Or the [[!cpan -LWPx::ParanoidAgent]] perl module is used if available, for added security. -Finally, the [[!cpan Crypt::SSLeay]] perl module is needed to support pinging +The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended. +The [[!cpan LWP]] module can also be used, but is susceptible +to server-side request forgery. + +The [[!cpan Crypt::SSLeay]] perl module is needed to support pinging "https" urls. By default the pinger will try to ping a site for 15 seconds before timing |