gugod
commented
13 years ago I have implement the sanitization following the rules in the python code. Specifically because in the perl code, the port number are anything that matches 1 to 5 digits, which allow numbers greater then 65535, and actually allow 0.
It is release as new version too: https://rubygems.org/gems/libravatar/versions/1.2.0
I have just added sanitization code to the Perl and Python libraries:
https://github.com/schwern/gravatar-url/commit/14b0c613f434d2513f8f4609a17aff4fe31c17ea http://bazaar.launchpad.net/~libravatar/pylibravatar/trunk/revision/5
I would suggest doing the same in the Ruby gem because we shouldn't trust DNS resolvers to do it for us and if it's not sanitized, it could allow attackers to perform actions on behalf of other users.