Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As I said in another comment, crop all the parameters from the URL, and the problem solves itself. Path is case sensitive, the domain must be lowercased anyways, so no problem either.


So your solution is basically to throw various standards overboard so that spammers cannot generate more urls than there are images on a specific domain. Isn't this cure worse than the (at this point mostly hypothetical) disease?


Crop the parameters and you have no reason to assume it points at the same image. Good luck explaining to your customers what happens when someone finds a way to effectively poison your non-unique image cache with something offensive.


> Crop the parameters and you have no reason to assume it points at the same image.

Well, that is going to be a problem for the mailer. I'm totally fine with banning dynamic parameter dependent images.

> Good luck explaining to your customers what happens when someone finds a way to effectively poison your non-unique image cache with something offensive.

I would say it is the email marketer fault for using unsupported parameterized images. I cannot image a legit use for that, and many evil spammy ones.


> I would say it is the email marketer fault for using unsupported parameterized images.

The problem is this would not just happen to e-mail from email marketers, but also between regular users, and it would take just one particularly nasty exploit of cache poisoning of urls to some site with user-generated content before you suddenly have the press asking you why some innocent picture sent by someone underage to someone else underage was replaced by your site by hardcore porn - or worse.

I've run a webmail provider. I've seen the amount of abusive bullshit spammers and scammers do whether for profit or for fun or to get back at someone. It used to be my job to find these kind of issues before bad guys did, and one thing we learned very quickly was that every little thing like this would instantly have people probing it for ways to abuse it to cause grief for someone else. Or for us.

If you were going to ban images parameterized by URL parameters (and that would not ban parameterized images, just reduce the number of sites that could be attacked), the only viable choice is not load them at all. Just stripping the parameters would be an absolute disaster and wildly irresponsible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: