logoalt Hacker News

tredre3today at 12:41 AM1 replyview on HN

> Nginx serves ~20% of the web, memory unsafe languages might just become untractable for critical exposed to the web infra if the rate of critical CVE's on these rises faster than they can be patched

That is true, however did you actually do any research into nginx? Is it particularly prone to memory bugs?

I honestly don't know the answer but you seem to be coming from a place of C bad, therefore nginx super vulnerable?

In my experience with other web servers the vast majority of security bugs are string handling related (path/header injection), which your rewrite will not protect you from.

Replies

ianm218today at 1:07 AM

https://securityaffairs.com/192132/hacking/nginx-rift-an-18-...

The project was inspired by that. Also unlike most other projects, nginx is directly exposed to the internet often times which makes it more vulnerable than i.e. Redis/ Valkey or something that would be running within a companies network generally.

"C Bad" is a bit reductionist... but I think there is some truth to the take " Until you have the evidence, don’t bother with hypothetical notions that someone can write 10 million lines of C without ubiquitious memory-unsafety vulnerabilities – it’s just Flat Earth Theory for software engineers" [1]

NSA and other government orgs are also pushing people to stop using C [2] for important software.

[1]. https://alexgaynor.net/2020/may/27/science-on-memory-unsafet... [2]. https://linuxsecurity.com/news/government/nsa-s-plea-stop-us...

show 1 reply