>>>>> "DW" == Dave Wolfe <dwolfe@risc.sps.mot.com> writes:
DW> My sincere apologies. Rolling back my screen shows comments by Chan on
DW> access_check().
Which doesn't mean that he's responsible; we don't really have an audit
trail for the code.
DW> Not your problem, but basically, 'restrict_post' is used for two
DW> similar duties but handled differently for each.
I see that now. It's kind of gross, but it does make a bit of sense as the
easiest way out.
DW> Do we break compatibility and stop accepting absolute paths in
DW> check_sender?
While it's a sane action, I don't think it will win any friends.
DW> Or expand the problematical use of absolute paths in
DW> access_check()?
I suppose that for continuing 1.94.x releases it only makes sense to let
people keep using absolute paths; too many people would complain if you
didn't. Some deprecation warnings in big letters all over the
documentation might not hurt, though. What's important is that if you
can't get rid of absolute pathnames, you at least need to make them work
consistently. Perhaps there should be a config variable,
$allow_unsafe_pathnames or somesuch that lets the installer control this.
- J<
Follow-Ups:
References:
|
|
