On Fri, Jan 09, 2004 at 03:32:29PM +0100, Andr� Malo wrote: > * Geoffrey Young <[EMAIL PROTECTED]> wrote: > > > > However, is it wise to add a configure option for it? > > > > how do you mean? I was trying to make it just a compile time option, > > similar to -DBIG_SECURITY_HOLE (which seems to me a bigger risk than > > this). > > do you mean to require users to change a define in the code itself? > > No no. I wanted to say "would it be wise, to add a configure option", such > as --without-escaping-errorlog or so.
I don't think it's appropriate to add configure switches to turn off security features: users may not understand the implications of the switch if they just see it in the --help output. CFLAGS=-DUNSAFE_LOG_ESCAPING ./configure is just as easy to document as ./configure --disable-errorlog-escaping in any case. Regards, joe
