https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28200
--- Comment #11 from David Cook <[email protected]> --- (In reply to Martin Renvoize from comment #10) > I've not read enough of th background to understand why support was dropped > for security reasons in the upstream library? It feels like if they've > disabled it by default for a reason we shouldn't just re-enable it without > considering the possible security ramifications. That said, I wouldn't be > opposed to tying that constructor line to yet another system preference that > defaults to enabled for upgrades and disabled for new installs.. That way > we don't break anyone's setups but encourage the more secure form going > forward? Personally, I think their labelling it as a "security" change was overblown. My understanding is that they dropped support for the abbreviated format because it *might* be too easy to accidentally specify a more permissive range than one intends. I can see how 10.10 is much less explicit than 10.10.0.0/16 but I don't really see the problem. But at this point in the discussion I am OK with Koha dropping support for the abbreviated form. I suppose the question is do we leave it as a breaking change or do we automagically fix people's configuration? I don't mind manually fixing all my instances, but I also know this stuff really well. It looks like HEA doesn't capture the relevant ILS-DI syspref (https://hea.koha-community.org/systempreferences) so I don't know what people have used... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
