diff options
author | Simon McVittie <smcv@debian.org> | 2019-02-10 16:56:41 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2019-02-26 22:21:31 +0000 |
commit | 9a275b2f1846d7268c71a740975447e269383849 (patch) | |
tree | 0c832065045c67438ede85f237b93f77b74ecd2b /doc/plugins | |
parent | d283e4ca1aeb6ca8cc0951c8495f778071076013 (diff) | |
download | ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar.gz |
doc: Document security issues involving LWP::UserAgent
Recommend the LWPx::ParanoidAgent module where appropriate.
It is particularly important for openid, since unauthenticated users
can control which URLs that plugin will contact. Conversely, it is
non-critical for blogspam, since the URL to be contacted is under
the wiki administrator's control.
Signed-off-by: Simon McVittie <smcv@debian.org>
Diffstat (limited to 'doc/plugins')
-rw-r--r-- | doc/plugins/aggregate.mdwn | 4 | ||||
-rw-r--r-- | doc/plugins/blogspam.mdwn | 2 | ||||
-rw-r--r-- | doc/plugins/openid.mdwn | 7 | ||||
-rw-r--r-- | doc/plugins/pinger.mdwn | 8 |
4 files changed, 16 insertions, 5 deletions
diff --git a/doc/plugins/aggregate.mdwn b/doc/plugins/aggregate.mdwn index 75123d923..b1db828d1 100644 --- a/doc/plugins/aggregate.mdwn +++ b/doc/plugins/aggregate.mdwn @@ -11,6 +11,10 @@ The [[meta]] and [[tag]] plugins are also recommended to be used with this one. Either the [[htmltidy]] or [[htmlbalance]] plugin is suggested, since feeds can easily contain html problems, some of which these plugins can fix. +Installing the [[!cpan LWPx::ParanoidAgent]] Perl module is strongly +recommended. The [[!cpan LWP]] module can also be used, but is susceptible +to server-side request forgery. + ## triggering aggregation You will need to run ikiwiki periodically from a cron job, passing it the diff --git a/doc/plugins/blogspam.mdwn b/doc/plugins/blogspam.mdwn index 745fc48e2..0ebae7d84 100644 --- a/doc/plugins/blogspam.mdwn +++ b/doc/plugins/blogspam.mdwn @@ -11,6 +11,8 @@ To check for and moderate comments, log in to the wiki as an admin, go to your Preferences page, and click the "Comment Moderation" button. The plugin requires the [[!cpan JSON]] perl module. +The [[!cpan LWPx::ParanoidAgent]] Perl module is recommended, +although this plugin can also fall back to [[!cpan LWP]]. You can control how content is tested via the `blogspam_options` setting. The list of options is [here](http://blogspam.net/api/2.0/testComment.html#options). diff --git a/doc/plugins/openid.mdwn b/doc/plugins/openid.mdwn index 4c8e0d381..a061cb43f 100644 --- a/doc/plugins/openid.mdwn +++ b/doc/plugins/openid.mdwn @@ -7,8 +7,11 @@ into the wiki. The plugin needs the [[!cpan Net::OpenID::Consumer]] perl module. Version 1.x is needed in order for OpenID v2 to work. -The [[!cpan LWPx::ParanoidAgent]] perl module is used if available, for -added security. Finally, the [[!cpan Crypt::SSLeay]] perl module is needed +The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended. +The [[!cpan LWP]] module can also be used, but is susceptible to +server-side request forgery. + +The [[!cpan Crypt::SSLeay]] Perl module is needed to support users entering "https" OpenID urls. This plugin is enabled by default, but can be turned off if you want to diff --git a/doc/plugins/pinger.mdwn b/doc/plugins/pinger.mdwn index 00d83e1bb..f37979ac6 100644 --- a/doc/plugins/pinger.mdwn +++ b/doc/plugins/pinger.mdwn @@ -10,9 +10,11 @@ can be kept up-to-date. To configure what URLs to ping, use the [[ikiwiki/directive/ping]] [[ikiwiki/directive]]. -The [[!cpan LWP]] perl module is used for pinging. Or the [[!cpan -LWPx::ParanoidAgent]] perl module is used if available, for added security. -Finally, the [[!cpan Crypt::SSLeay]] perl module is needed to support pinging +The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended. +The [[!cpan LWP]] module can also be used, but is susceptible +to server-side request forgery. + +The [[!cpan Crypt::SSLeay]] perl module is needed to support pinging "https" urls. By default the pinger will try to ping a site for 15 seconds before timing |