On Oct 28, 2007, at 4:12 AM, Niklas Edmundsson wrote:
On Sat, 27 Oct 2007, Paul Querna wrote:
-0.9 on enabling this by default in mod_includes. Make it
possible to
turn it on via httpd.conf, but never on by default....
I agree.
And it should have huge warning signs, and a long descriptive name
that does not invite to "let's try this and see if it solves my
problem".
Cross-site-include-holes are nasty, and I see it as a feature that
they are not "supported" ;)
I tend to agree... This seems to open up a huge can
of worms, and makes it v easy to people to use these "neat"
feature and open themselves up to all kinds of
nasty, nasty things.
