←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
603 points scalewithlee | 3 comments | 25 Apr 25 13:48 UTC | HN request time: 0.41s | source
Show context
netsharc ◴[25 Apr 25 14:24 UTC] No.43793903[source]
Reminds me of an anecdote about an e-commerce platform: someone coded a leaky webshop, so their workaround was to watch if the string "OutOfMemoryException" shows up in the logs, and then restart the app.

Another developer in the team decided they wanted to log what customers searched for, so if someone typed in "OutOfMemoryException" in the search bar...

replies(2): >>43793976 #>>43795364 #
PhilipRoman ◴[25 Apr 25 16:18 UTC] No.43795364[source]
Careless analysis of free-form text logs is an underrated way to exploit systems. It's scary how much software blindly logs data without out of band escaping or sanitizing.
replies(1): >>43796073 #
ycombinatrix ◴[25 Apr 25 17:05 UTC] No.43796073[source]
Why would someone "sanitize" OutOfMemoryException out of their logs? That is a silly point to make.
replies(3): >>43796243 #>>43796381 #>>43802850 #
owebmaster ◴[25 Apr 25 17:22 UTC] No.43796243[source]
An OutOfMemoryException log should not be the same as a search log

  Error: OutOfMemoryException
And

  Search: OutOfMemoryException
Should not be related in any way
replies(1): >>43796851 #
1. dusanz ◴[25 Apr 25 18:14 UTC] No.43796851[source]
Until someone searches for "Error: OutOfMemoryException"
replies(2): >>43797036 #>>43802208 #
2. PhilipRoman ◴[25 Apr 25 18:30 UTC] No.43797036[source]
If structured logging is too much, unique prefixes solve this issue. Basically you need some token that user provided data is unable to output to the log. If you rigorously escape all newlines, you can then use start-of-line and end-of-line as unforgeable tokens. The possibilities are endless and it all comes down to understanding whether the intersection of two grammars is empty.
3. happysadpanda2 ◴[26 Apr 25 09:49 UTC] No.43802208[source]
I read the gp to mean that error.log (being parsed to look for OOM) would have no associations with userSearches.log, in which an end-user searched for OOM