ecfee2d274
paranoid against attackers. It's to be used when you're fetching a remote resource on behalf of a possibly malicious user. WWW: http://search.cpan.org/dist/LWPx-ParanoidAgent/
22 lines
1.1 KiB
Text
22 lines
1.1 KiB
Text
LWPx::ParanoidAgent is a class subclassing LWP::UserAgent, but
|
|
paranoid against attackers. It's to be used when you're fetching
|
|
a remote resource on behalf of a possibly malicious user.
|
|
|
|
This class can do whatever LWP::UserAgent can (callbacks, uploads
|
|
from files, etc), except proxy support is explicitly removed, because
|
|
in that case you should do your paranoia at your proxy.
|
|
|
|
Also, the schemes are limited to http and https, which are mapped to
|
|
LWPx::Protocol::http_paranoid and LWPx::Protocol::https_paranoid,
|
|
respectively, which are forked versions of the same ones without
|
|
the "_paranoid". Subclassing them didn't look possible, as they were
|
|
essentially just one huge function.
|
|
|
|
This class protects you from connecting to internal IP ranges
|
|
(unless you whitelist them), hostnames/IPs that you blacklist, remote
|
|
webserver tarpitting your process (the timeout parameter is changed to
|
|
be a global timeout over the entire process), and all combinations of
|
|
redirects and DNS tricks to otherwise tarpit and/or connect to internal
|
|
resources.
|
|
|
|
WWW: http://search.cpan.org/dist/LWPx-ParanoidAgent/
|