LWPx::ParanoidAgent - subclass of LWP::UserAgent that protects you from harm
require LWPx::ParanoidAgent; my $ua = LWPx::ParanoidAgent->new; # this is 10 seconds overall, from start to finish. not just between # socket reads. and it includes all redirects. so attackers telling # you to download from a malicious tarpit webserver can only stall # you for $n seconds $ua->timeout(10); # setup extra block lists, in addition to the always-enforced blocking # of private IP addresses, loopbacks, and multicast addresses $ua->blocked_hosts( "foo.com", qr/\.internal\.company\.com$/i, sub { my $host = shift; return 1 if is_bad($host); }, ); $ua->whitelisted_hosts( "brad.lj", qr/^192\.168\.64\.3?/, sub { ... }, ); # get/set the DNS resolver object that's used my $resolver = $ua->resolver; $ua->resolver(Net::DNS::Resolver->new(...)); # and then just like a normal LWP::UserAgent, because it is one. my $response = $ua->get('http://search.cpan.org/'); ... if ($response->is_success) { print $response->content; # or whatever } else { die $response->status_line; }
The LWPx::ParanoidAgent is a class subclassing LWP::UserAgent, but paranoid against attackers. It's to be used when you're fetching a remote resource on behalf of a possibly malicious user.
LWPx::ParanoidAgent
LWP::UserAgent
This class can do whatever LWP::UserAgent can (callbacks, uploads from files, etc), except proxy support is explicitly removed, because in that case you should do your paranoia at your proxy.
Also, the schemes are limited to http and https, which are mapped to LWPx::Protocol::http_paranoid and LWPx::Protocol::https_paranoid, respectively, which are forked versions of the same ones without the "_paranoid". Subclassing them didn't look possible, as they were essentially just one huge function.
LWPx::Protocol::http_paranoid
LWPx::Protocol::https_paranoid
This class protects you from connecting to internal IP ranges (unless you whitelist them), hostnames/IPs that you blacklist, remote webserver tarpitting your process (the timeout parameter is changed to be a global timeout over the entire process), and all combinations of redirects and DNS tricks to otherwise tarpit and/or connect to internal resources.
See LWP::UserAgent to see how to use this class.
This module is supplied "as-is" and comes with no warranty, expressed or implied. It tries to protect you from harm, but maybe it will. Maybe it will destroy your data and your servers. You'd better audit it and send me bug reports.
Maybe. See the warranty above.
Copyright 2005 Brad Fitzpatrick
Lot of code from the the base class, copyright 1995-2004 Gisle Aas.
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
To install LWPx::ParanoidAgent, copy and paste the appropriate command in to your terminal.
cpanm
cpanm LWPx::ParanoidAgent
CPAN shell
perl -MCPAN -e shell install LWPx::ParanoidAgent
For more information on module installation, please visit the detailed CPAN module installation guide.