On Sun, 15 May 2011, Graham Leggett wrote:
The mod_include expression parser tries hard to limit what can be done. For
example, the subrequest operator -A can be switched of with a config
option.
If it makes your life easier to remove this config option please do - it was
only put there to make it possible to backport the -A option to v2.2 while
guaranteeing no existing configs could break. In v2.4 this option doesn't
make much sense.
So you implemented it more as a safeguard against confusion with "-A"
strings in existing expressions than as a security measure? Do you think
that untrusted shmtl files are not a common use case? In that case I would
tend to the "people can always switch back to the old restricted
expression syntax" solution.
Cheers,
Stefan
