| Issue 64: | Harden the UntrustedWebRequest class | |
| Back to list |
Sign in to add a comment
|
The Fetcher class is not as exploit-proof as we'd like. Discovery on "localhost" and other non-routable addresses should be disabled in release builds to prevent web servers from being "tricked" into calling URLs on themselves or other internal servers. |
||||||||||||
,
May 01, 2008
(No comment was entered for this change.)
Owner: ---
|
|||||||||||||
,
May 23, 2008
An example of a paranoid HTTP client can be found here: http://search.cpan.org/~bradfitz/LWPx-ParanoidAgent-1.02/lib/LWPx/ParanoidAgent.pm
Summary: Harden the UntrustedWebRequest class
Status: Started Owner: andrewarnott Labels: -Type-Defect -Priority-Medium -Release-2.0 Type-Security Priority-High Release-2.1 |
|||||||||||||
,
May 23, 2008
Paranoid HTTP upgrade checked into Master branch.
Status: FixedNeedsMerge
|
|||||||||||||
,
May 31, 2008
Merged from master into v2.2 branch
Status: Fixed
Labels: -Release-2.1 Release-2.2 |
|||||||||||||
 Sign in to add a comment
|
|||||||||||||
