© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Fortunately, I've also realized it should be fairly easy to prevent those information gathering attacks through two steps:
1. Stop printing the underlying Curl error message in the form. The different Curl error responses are the main way the attacker can gather information from this attack. We should instead print something generic like "That feed URL appears to be invalid."
2. Add a random sleep interval to this process, to hinder detection based on timing.
If we do that, then the external feed block will become mostly useless for network exploration. (It'll still have some potential for abuse, but only the much less useful capability of sending HTTP "GET" requests without being able to see the response.)