Hacker News new | past | comments | ask | show | jobs | submit login

I don't think I would use any package that makes this classic mistake in 2019. Web services need to be at least vaguely secure and this destroys all my confidence of that.

You would've thought OP posting to HN should've considered security backlash. Unfortunately, damage is done for me too.

This was fixed literally the minute it was commented here. Securing any project is always a long-term and continuous effort.

This project is brand new, I posted the repo publicly this morning. I frankly think this subthread is an overreaction. I don’t get the hate.

I saw your comments fixing it - which is pretty awesome by the way (& I hope you've taken on board the other comments regarding securing it even further).

Due to PHP experience, this would've been something that I ensured was implemented properly from the outset. I know this to be true, because I've dabbled in the very space you're working in now, and it was one of the very first things I ensured: that no file could be served except from direct descendants. (I rethought my project and tossed the code)

For something like this you need to be absolutely sure about security. Have a look at the annals of PHP security issues - and most likely you'll see a lot of similarities that you'll need to make sure you address.

I'm sorry if you read hate in my words: definitely was NOT intended! I have nothing against you as a co-habitor of this wonderful planet! To me, the bug highlights that a few design considerations may have been overlooked.

> This project is brand new, I posted the repo publicly this morning.

Are you implying that you don’t think it’s ready for production use? If so, maybe you should do like a lot of projects, and warn about it loud and clear in the docs. It’s not clear at all that users should expect the type of blatant security problems that were discovered here.

If the bar to posting to HN was "I am finally confident this project is mature", rather than "I can post any link I want and if people thing it's cool, it'll get upvoted", HN would have a hell of a lot less cool shit on the front page on a daily basis.

People are allowed to screw up: it's how we learn. They got comments that pointed out flaws, they fixed them and posted a follow-up regarding that fix, why the hate? This person tried to make something cool, they learned important security lessons, and now have a deeper insight into what they made, and the world it operates in. How is this possibly a bad thing we don't want to have happen on HN?

But after reading the thread following your fix it seemed that the fix wasn't done properly. That, more than the security issue itself, kind of ruined my confidence as well, sorry to say.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact