←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
603 points scalewithlee | 1 comments | 25 Apr 25 13:48 UTC | HN request time: 0s | source
Show context
Y_Y ◴[25 Apr 25 14:13 UTC] No.43793778[source]
Does it block `/etc//hosts` or `/etc/./hosts`? This is a ridiculous kind of whack-a-mole that's doomed to failure. The people who wrote these should realize that hackers are smarter and more determined than they are and you should only rely on proven security, like not executing untrusted input.
replies(6): >>43793862 #>>43793868 #>>43793954 #>>43794072 #>>43794473 #>>43802345 #
jrockway ◴[25 Apr 25 14:21 UTC] No.43793868[source]
Yeah, and this seems like a common Fortune 500 mandatory checkbox. Gotta have a Web Application Firewall! Doesn't matter what the rules are, as long as there are a few. Once I was told I needed one to prevent SQL injection attacks... against an application that didn't use an SQL database.

If you push back you'll always get a lecture on "defense in depth", and then they really look at you like you're crazy when you suggest that it's more effective to get up, tap your desk once, and spin around in a circle three times every Thursday morning. I don't know... I do this every Thursday and I've never been hacked. Defense in depth, right? It can't hurt...

replies(3): >>43793920 #>>43795851 #>>43799653 #
bombcar ◴[25 Apr 25 14:25 UTC] No.43793920[source]
I love that having a web application firewall set to allow EVERYTHING passes the checkbox requirement ...
replies(1): >>43794124 #
CoffeeOnWrite ◴[25 Apr 25 14:44 UTC] No.43794124[source]
(I’m in the anti-WAF camp) That does stand to improve your posture by giving you the ability to quickly apply duct tape to mitigate an active mild denial of service attack. It’s not utterly useless.
replies(2): >>43794206 #>>43794423 #
elevation ◴[25 Apr 25 14:52 UTC] No.43794206{4}[source]
Doesn't it also add latency to every request?
replies(4): >>43794319 #>>43794346 #>>43795846 #>>43796742 #
formerly_proven ◴[25 Apr 25 16:49 UTC] No.43795846{5}[source]
So does running McAfee on every POST body but some places really wanna do that regardless. (I at least hope the scanner isn't running in the kernel for this one).
replies(1): >>43796491 #
1. jrockway ◴[25 Apr 25 17:42 UTC] No.43796491{6}[source]
Yeah, we were asked to do this at my last job by some sort of security review. This one doesn't bother me as much. "Display 'network error' whenever a user uploads a file containing 'SELECT *'" is a bad user experience. "Some files in this repository have been flagged as containing a virus and are not visible in the web interface until allowed by an administrator," is OK with me, though.