I wish Mojo::UserAgent could be made to not visit private IPs

Someone wanting to make a social media site (such as a Mastodon server & web client for example) will want to allow its users to post URLs, for which previews will be shown in their posts.

These posts will be visited by a UserAgent, but there is the risk that a private IP (disguised as a FQDN hostname that resolves to it) will be in the URL's host, and that might cause security issues.

I could use LWP::ParanoidAgent, but then I'd have to fork a process to make the whole thing async, like a good Mojolicious site will be, and too many processes running can be a problem. Also I'd be missing on the many Roles that exist for Mojo::Useragent.

So I opened this issue on Mojolicious's github wishing for a solution.

1 Comment

Leave a comment

About karjala

user-pic I'm a Perl developer.