[stevekemp]

Remember that URLs don't always point to websites:

http://klopets.com/readtime/?url=file:///etc/passwd

http://klopets.com/readtime/?url=file:///etc/shadow

[mklopets]

Aaaaand now there are tens of IPs trying to access /etc/passwd. Tailing my "failed hack attempts" log is kinda fun now.

But if you wrote this to warn me, then thanks!

[alexbecker]

Also be careful about redirect handling: http://evil.com might redirect you to file:///etc/passwd

[stevekemp]

> But if you wrote this to warn me, then thanks!

I did.

You're not the first person to make that kind of mistake, and I assumed it was an obvious enough "attack" that trying to communicate it privately wasn't required.

[mklopets]

Though I now have an extra if statement in my code to detect and log this type of 'hacking' attempts in addition to some others, the code was never vulnerable to this in the first place. No file contents are displayed at any time anyway.