Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It doesn't even need a library. A simple regex would have prevented this.


A naive regex would just as easily have exactly the same issue, e.g. "^http:"


That wouldn't have the same issue since the space at the beginning would fail that regex.


I believe that's parent's point. "https:" would be OK, "http: would be rejected, but " http:" would also be _accepted_ it. They looked for "http://" at the start of the string, instead of requiring "https://".

Replacing:

    bool flag2 = file.Location.ToLower().StartsWith("http://");
with:

    bool flag2 = Regex.IsMatch(file.Location.ToLower(), "^http:");
doesn't help. You have to make sure to actually replace http, not just check the start of the line.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: