Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
mgaunard 2 days ago

That's not a security issue, it's a correctness issue.

The whole feature simply does not work.

0x457 2 days ago | parent | next [-]

Is if I use OpenSSL to generate random number, but someone accidentally made it return 4 and nothing else. Is it a correctness issues or security issue? The whole feature simply does not work.

pytness 2 days ago | parent | prev [-]

if a gpg signature check fails, is it a correctness issue? a security issue? or both?

amiga386 2 days ago | parent | next [-]

If RewriteCond (or any other Apache directive) doesn't behave as documented, that's a correctness issue.

If you use RewriteCond as the basis of securing your website, that's a security issue for you.

If it's a security issue for a significant number of users, or if the documentation recommends using the directive for a security role, then it's also a security issue for the product itself.

inopinatus 2 days ago | parent [-]

If upgrade/reframe that last point more strongly. Any configuration of software that is accepted by its own parser is in product scope.

mgaunard 2 days ago | parent | prev [-]

RewriteCond is a mechanism to redirect under certain conditions.

Security becomes irrelevant if the whole Apache module is broken.

falcor84 2 days ago | parent [-]

I don't see how it becomes irrelevant. It's as if I have a door in the entrance to my building that serves multiple purposes, such as holding the company logo and keeping the A/C-controlled air in, and then someone smashes the door with a sledgehammer. The fact that all of the door's functionality stopped working doesn't make the security aspect of not having a door irrelevant.

mgaunard 2 days ago | parent [-]

A better analogy is that you decided to replace your door with a new one, and before installation you notice that it is smashed to pieces and can't be used.

falcor84 2 days ago | parent [-]

I'll take that. But in this case it's even worse, as apparently they never bothered to check if the door is in one piece and just screwed the smashed pieces onto the hinges regardless. So now it's not working as a door neither functionally nor security-wise, but it took someone visiting from outside to see that the emperor has no door.