From 9a275b2f1846d7268c71a740975447e269383849 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Sun, 10 Feb 2019 16:56:41 +0000
Subject: doc: Document security issues involving LWP::UserAgent

Recommend the LWPx::ParanoidAgent module where appropriate.
It is particularly important for openid, since unauthenticated users
can control which URLs that plugin will contact. Conversely, it is
non-critical for blogspam, since the URL to be contacted is under
the wiki administrator's control.

Signed-off-by: Simon McVittie <smcv@debian.org>
---
 doc/plugins/pinger.mdwn | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'doc/plugins/pinger.mdwn')

diff --git a/doc/plugins/pinger.mdwn b/doc/plugins/pinger.mdwn
index 00d83e1bb..f37979ac6 100644
--- a/doc/plugins/pinger.mdwn
+++ b/doc/plugins/pinger.mdwn
@@ -10,9 +10,11 @@ can be kept up-to-date.
 To configure what URLs to ping, use the [[ikiwiki/directive/ping]]
 [[ikiwiki/directive]].
 
-The [[!cpan LWP]] perl module is used for pinging. Or the [[!cpan
-LWPx::ParanoidAgent]] perl module is used if available, for added security.
-Finally, the [[!cpan Crypt::SSLeay]] perl module is needed to support pinging
+The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended.
+The [[!cpan LWP]] module can also be used, but is susceptible
+to server-side request forgery.
+
+The [[!cpan Crypt::SSLeay]] perl module is needed to support pinging
 "https" urls.
 
 By default the pinger will try to ping a site for 15 seconds before timing
-- 
cgit v1.2.3