> There is this very promising "Additional clauses" parameter which will > happily add anything to the search sql query I like. > > Needless to say, that I can send arbitrary sql commands to the server > either using subselects or some other escape trickery.
I think the general idea is that you're not meant to give access to the operators panel to anyone who you wouldn't give mysql/shell access to, so it's relatively harmless to add often-helpful functionality like this to the UI. You can do various project-damaging things by design anyway, which is why the default configuration mandates you have an .htaccess file there and why there's the option for an auth_ops function on top. (I've just been ignoring the ops scripts completely for this reason, there are indeed more issues in there if you give untrusted people access to it.) - Alyssa _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
