Hacker News new | comments | show | ask | jobs | submit login

> Prior to the bug, the library used to query the website and check for the code was configured to return a failure if the HTTP status code was not 200 (success). A configuration change to the library caused it to return results even when the HTTP status code was not 200. Since many web servers are configured to include the URL of the request in the body of a 404 (not found) response, and the URL also contained the random code, any web server configured this way caused domain control verification to complete successfully.

I'd bet that the library in question was libcurl, and they forgot to set CURLOPT_FAILONERROR[1].

[1]: https://curl.haxx.se/libcurl/c/CURLOPT_FAILONERROR.html




Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: