On 8/24/06, Timwi <timwi(a)gmx.net> wrote:
I was trying to address the security issues
that come from the user's ability to cause the server to perform any GET
request to any server.
This is a problem why, provided the server is careful about what it
does with the response? It could potentially be used for, e.g.,
flooding a third party's server, but it wouldn't be hard to restrict
the harm that could do (by throttling), and no one could do much more
damage that way than they could do without the WMF's help. An
overwhelming number of massive, reputable sites are willing to execute
arbitrary GET requests -- it's necessary for spidering, to begin with.
Given that this feature is *not* currently implemented, I see no
reason not to discuss its possible implications openly.