If someone wants to take responsibility for maintaining the legacy RequestProcessor in 1.3.x along with the ComposableRequestProcessor, then go ahead. I just didn't want to take responsiblity for maintaining duplicate lines of development myself. The Opt-In Cancel Handler is available in the default Action 1.3.0 configuration., which was my primary concern.
-Ted. On 2/18/06, Niall Pemberton <[EMAIL PROTECTED]> wrote: > I patched the 1.2.x branch to fix Bug #38374 "Validation skipped with > Globals.CANCEL_KEY" and was planning to apply the same fix to the > original RequestProcessor in the current trunk (1.3 series): > > http://issues.apache.org/bugzilla/show_bug.cgi?id=38374 > http://svn.apache.org/viewcvs?rev=377805&view=rev > > However Ted expressed the opnion that Bug 38374 was a feature and he > would rather the change I made to the 1.2.x branch not go into 1.3.1 > > http://tinyurl.com/c3j7m > > My view is its a security hole and it needs to be fixed in the 1.2.x > branch and 1.3 branch. So we need to either: > > 1) Decide its a security issue and fix this issue in the 1.3 series. > 2) Decide its a feature and reverse out the change I made to the 1.2.x branch > > I'm proposing here that we apply the changes to the 1.3 > RequestProcessor (I'm happy to do the change) for this issue. > > Niall --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
