For further actions, you may consider blocking this person and/or reporting abuse
For further actions, you may consider blocking this person and/or reporting abuse
lykins -
Vipul Kumar -
Aaron Langford -
GetVM -
Top comments (2)
I very much appreciate the intent of this, and in general I completely agree. Especially if you’re making a library, good error messages are really helpful.
We do need to be careful, though. Error messages can disclose the inner-workings of our applications, which can be harmful from a security perspective.
If you have an image resizing web service, “I couldn’t access the image” and “what I accessed wasn’t an image” are both too much information. If I know you couldn’t access the image, I can probe a bit more and hope that I’ll get a different message if I figure out how to trick your program. If you tell me you don’t think my malicious payload was an image, now I know to try and defeat that validation. It would be far better to respond “I don’t know what happened, but I couldn’t fulfill your request,” then I have a lot less to go on in trying to defeat your safeguards.
Cool, keep it up