sfeed

Simple RSS and Atom feed parser
git clone https://git.sinitax.com/codemadness/sfeed
Log | Files | Refs | README | LICENSE | Upstream | sfeed.txt

commit 979ec9251f95e97d6d38a75a20c847f744689be5
parent 8002e2c0dfb757b8c73531e1e5f36415c5c9031b
Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date:   Thu,  2 May 2019 20:16:49 +0200

README: add security considerations, tweak preface a bit

Diffstat:
MREADME | 55++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/README b/README @@ -3,11 +3,10 @@ sfeed RSS and Atom parser (and some format programs). -It converts RSS or Atom feeds from XML to a TAB-separated file. -There are format programs included to format this TAB-separated format to -various other formats. -There are also some programs and scripts included to import and export OPML and -to update, sort, filter and merge feed items. +It converts RSS or Atom feeds from XML to a TAB-separated file. There are +formatting programs included to convert this TAB-separated format to various +other formats. There are also some programs and scripts included to import and +export OPML and to update, sort, filter and merge feed items. Build and install @@ -508,6 +507,52 @@ Now run: Now you can view feeds in mutt(1) for example. +Security considerations +----------------------- + +About automated remote resource loading and content execution: + +Some feeds will use a tracking pixel (1x1 image size) in HTML content with some +unique ID. Some even have embedded Javascript code, iframes, CSS. Opening such +content and loading these resources automatically may leak unwanted +information. + +For example on Slashdot: +<img src="http://feeds.feedburner.com/~r/Slashdot/slashdot/~4/someid" + height="1" width="1" alt=""/> + +If such content is opened in a typical webbrowser configuration this is +insecure. Be aware opening a link in a page generated on the local filesystem +or network has different privileges than one on a non-local domain. + +Recommendation: +Do not handle content as HTML and avoid automated remote resource loading in +content. Convert all content to plain-text in your formatting program. + + +About handling links: + +Be careful about handling feed links. + +A malicious link could be: tel:some-phonenumber, file:// or some other protocol +scheme which depending on the viewing program and system can have an action +assigned. + +Another malicious link could be pointing to a local device, for example an +(insecure) router: http://192.168.0.1/?reboot + +Recommendation: +Filter specific by protocol and non-local domain. This can be done using a grep +or awk filter or as a setting in your viewing program. + +See also: +- RFC4287 (Atom): 8. Security Considerations: + https://tools.ietf.org/html/rfc4287#section-8 +- RFC2854: 7. Security Considerations: + https://tools.ietf.org/html/rfc2854 +- Filter examples: see the sfeed README file. + + License -------