Mimir, > + /* First, try to include file from current working directory. > + This allows local includes which is handy sometimes. */
yes, it's very handy if you are a malicious hacker! Imagine the admin has a ftp upload area, and cd's to that directory. He wants to see if anyone is connected to that area with "smbstatus". The attacker uploads util.js and hey presto the attacker has just got the admin to run his code inside smbstatus, as root. Same applies to someones home directory. There is a very good reason why "." is not in $PATH on unix by default :-) Please revert this one. It's a major security hole. Cheers, Tridge
