|
|
|
|
|
|
by stevekemp
2992 days ago
|
|
|
I can give you an example of somethign that is relatively common and "bad". Imagine a website that will take an URL and extract the text from it - removing markup - or another service that will scan a URL for meta-tags, etc. All the kind of things that you can find easily. Now imagine what happens if a user passes input such as "file:////etc/passwd". There are a whole bunch of services which will spit out the contents of the file, because they use some URL-fetching library and don't limit the protocols to http or https. I wrote a blog-post about that, which was featured here a while back: https://news.ycombinator.com/item?id=12478538 |
|
|