rss_proxy.php - insecure

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Call any XOT instance with ..../rss_proxy.php?url=http://news.bbc.co.uk (or 
whatever) and it'll fetch it.

What is the expected output? What do you see instead?
1. Should only return urls defined within a template as valid RSS feeds? or
2. Specify whitelist of URLs which can be proxied? or
3. Only return proxied result(s) if it's an rss mime-type received (still 
leaves this open as a denial of service hole though).

Original issue reported on code.google.com by ginger...@gmail.com on 6 Mar 2012 at 12:41

[GoogleCodeExporter]

Not sure it's practical to have a whitelist - too many potential urls that 
users might add to the relevant XOT page and unrealistic for someone with 
access to the code or management.php to keep adding new allowed url's upon 
request. Isn't there a way to restrict rss_proxy.php so that it can't be 
accessed via browser and can only be called from relevant XOT code?

Original comment by ronm...@googlemail.com on 6 Mar 2012 at 8:06

[GoogleCodeExporter]

It's also definitely not a good idea to allow anyone to request an arbitrary 
URL through the file - it can be easily abused in a denial of service attack at 
the very least.

I'm not sure how the URLs are embedded within the learning objects - if they 
are visible within the XML of an LO then it would be possible to limit the URLs 
requested.

Can the rss_proxy.php script be changed to also require the template_id is 
passed in?

Original comment by ginger...@gmail.com on 6 Mar 2012 at 12:22