On 18/07/2013, at 11:27, Hugh Davenport <[email protected]> wrote:
> I would argue the researcher did contribute, they put in the public that > the bug is more serious that it appears on the actual bug report. I do > note that the bug hasn't had much traffic on it until today, so they are > contributing indirectly. Disclaimer: I am a core developer for SilverStripe, though not employed by the company. I disagree. All that’s happened because of that blog post is this thread. The current solution was planned and targeted for 3.1.0 RC1 before the post was made. After the post, it’s just been the solution getting tidied up and pull requests created. The traffic picked up because a solution that could actually work was provided. Yes, we’ve known about this since at least February (the reporter is the lead on the security team). Due to what ?flush=1 actually does (it’s not just a high-level cache flush) it is a difficult problem to solve. The current solution isn’t pretty, but is likely to be the best way without only allowing flushing from a command line task (which is impractical). --- Simon Welsh Admin of http://simon.geek.nz/ -- -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] --- You received this message because you are subscribed to the Google Groups "NZ PHP Users Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
