Hacker Newsnew | past | comments | ask | show | jobs | submit | arestor's commentslogin

See https://news.ycombinator.com/item?id=13719437


Some features had a bug which lead to uninitialized memory (AKA previous memory contents) in the output of a malformed HTML page was requested.

As one such server handles many sites, everything that the server handled before that request may be compromised. This includes all HTTP-GET/POST data (credentials, direct messages to other users, ...), Headers (API tokens, Login-Cookies) and contents.

So, you have to assume that everything you did on a CF "protected" website in the last months (especially between 2017-02-13 and 2017-02-17) is potentially compromised.


Where is a reliable list of CF-protected websites so I may identify which ones I have interacted with?


An unofficial list is being compiled here: https://github.com/pirate/sites-using-cloudflare


It's C. If you have an array, you may only compare to one element behind the last. Everything else is undefined behavior. So a compiler may just "optimize" your >= to ==.


No it won't. It's using pointers, not array indices. The compiler has no possible way of knowing that `pe` is the one-past-the-end address.


It's still UB. The array could potentially be at the end of the address space...


Well yes, it could, but that's not really an argument for saying that Ragel using == is just as good as using >=.


It's not an array. It's inside a large buffer allocated by nginx.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: