-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jim Jagielski wrote: > I tend to agree... This seems to open up a huge can > of worms, and makes it v easy to people to use these "neat" > feature and open themselves up to all kinds of > nasty, nasty things.
If being properly documented, and disabled-by-default, and also ACL-limited (domain, path, dstip of foreign server), then this is a useful feature. In any case, PHP can already do that. An apache level equivalent is perfect in terms of performance, and consistency. And, any case, security is not a software-provided, but software-aided I guess, feature. Yes, clueless admins might be open to XSI attacks, but... PHP for instance, provides register_globals in Off default. Knowledgeable admins still can enable it if they know (or believe to know) what they're doing. Sounds pretty similar a discussion to me. - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJe9pAlpOsGhXcE0RCkDfAJ9rRg0z7DEl7kaP73+WZ1SRVFzoZQCdFmED fCQY+V/qH6ye0Qwp3ole0uM= =/XF4 -----END PGP SIGNATURE-----
