"Timwi" <timwi(a)gmx.net> wrote in message
news:ecl9gm$dij$1@sea.gmane.org...
Simetrical wrote:
On 8/24/06, Timwi <timwi(a)gmx.net> wrote:
I was trying to address the security issues
that come from the user's ability to cause the server to perform any GET
request to any server.
This is a problem why, provided the server is careful about what it
does with the response?
It's not the response that's the problem, it's the GET request itself.
Suppose some stupid web programmer programmed a forum where you can
delete posts with a GET request. If you can fire GET requests to any
server from Wikimedia's servers, then the forum's servers will only log
Wikimedia's IPs, and the mass-deletion forum vandal is now untraceable.
I'm sure there are even more significant cases that I haven't thought of.
Timwi
It would not be hard to include appropriate trace information in the headers
(referrer & useragent), which will show up in the remote website's logs.
For example, IP/username of the uploader, link back to the resulting image
page, etc.
We could even set the referrer URL to a non-editable page giving full
details about the specific request, with further links that explain the
feature and how it works, give details about how to report abuse/copyright
infringement, etc.
- Mark Clements (HappyDog)