On 8/24/06, Timwi timwi@gmx.net wrote:
I was trying to address the security issues that come from the user's ability to cause the server to perform any GET request to any server.
This is a problem why, provided the server is careful about what it does with the response? It could potentially be used for, e.g., flooding a third party's server, but it wouldn't be hard to restrict the harm that could do (by throttling), and no one could do much more damage that way than they could do without the WMF's help. An overwhelming number of massive, reputable sites are willing to execute arbitrary GET requests -- it's necessary for spidering, to begin with.
Given that this feature is *not* currently implemented, I see no reason not to discuss its possible implications openly.