Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

See my other comment. The engineer who wrote this code did take the time to validate, but his validation was incorrect.

Call it "blatant incompetence" if you like, but I'm guessing you've written a buggy validation or regex once or twice in your life.



Except that using validation at all in this case is a mistake, especially writing it yourself for a narrow case, much less using regexes to do it.

Escaping, damnit.


Yes, I agree. That's why we've tried to assist Rails Core in reviewing a more comprehensive string tainting model. I've said for some time now that security needs to be institutionalized in frameworks in order for developers to be unable to make stupid mistakes like this one.


If that's bad, remember the old iTunes installer bug?

http://apple.slashdot.org/article.pl?sid=01/11/04/0412209...

They had a shell script which didn't "quote" their $variables. It rm -rf'd entire drives by mistake. It's why I use "$@" now.


So you let the same engineer who writes code green-light it for deployment?


No. We have a code review process. It wasn't caught in review, and was okayed for deployment by another engineer.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: