hosts" breaks the Substack editor

(scalewithlee.substack.com)

603 points scalewithlee | 1 comments | 25 Apr 25 13:48 UTC | HN request time: 0s | source

Show context

paxys ◴[25 Apr 25 14:09 UTC] No.43793735[source]▶

This isn't a "security vs usability" trade-off as the author implies. This has nothing to do with security at all.

/etc/hosts

See, HN didn't complain. Does this mean I have hacked into the site? No, Substack (or Cloudflare, wherever the problem is) is run by people who have no idea how text input works.

replies(5): >>43793752 #>>43793805 #>>43793852 #>>43793880 #>>43794047 #

gav ◴[25 Apr 25 14:36 UTC] No.43794047[source]▶

>>43793735 #

It's more so that Cloudflare has a WAF product that checks a box for security and makes people who's job it is to care about boxes being checked happy.

For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error, including /etc/hosts and other ones such as:

  ../../apache/logs/error.log
  AND%20(SELECT%208203%20FROM%20(SELECT(SLEEP(5)))xGId)
  /../..//../..//../..//../winnt/system32/netstat.exe?-a

We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.

We ended up deploying a WAF to block all these requests, even though it didn't improve security in any meaningful way.

replies(2): >>43794824 #>>43804273 #

1. krferriter ◴[25 Apr 25 15:43 UTC] No.43794824[source]▶

>>43794047 #

> For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error

> We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.

this causes me pain

↑