Credit: Mark Maunder
Here’s a tip from some old hands at this game: if the software is named after the author’s first name, it is likely INSECURE AS ALL HELL. This design error is case and point. Download files from attacker-specified URLs into a cache directory inside the webroot? Sounds like a great idea to me.