On Mon, Dec 28, 2015 at 7:09 PM, Harry Metske <harry.met...@gmail.com> wrote: > > We considered it a security risk and did not implement it.
Having a server go blindly into user-specified URLs is indeed a huge security risk. Users could easily create a denial of service (listing hundreds of URLs) either for the target or the JSPWiki server itself. They could also use the feature to exploit vulnerable URLs, disguising themselves as the JSPWiki server. However, I believe safer, more limited approaches could be used, that would still provide value to site administrators (from least to most dangerous, from least to most value to the administrator): - Collate all host names mentioned in wiki pages; run one DNS query per host name (using rate limits); take note of which host names are not existent anymore; report pages that contain links to those hosts - Similar idea, but run one HEAD HTTP request to the root (/) of each host name in addition to resolving the name - Similar idea, up to the path component of the URL; canonicalize it, apply a size limit, remove queries and fragments; this should still be rather safe (Note that these are only ideas. I am not volunteering to implement them.) -- Adrien
