httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: log_error_core escaping change broke things
Date Fri, 09 Jan 2004 14:38:40 GMT
On Fri, Jan 09, 2004 at 03:32:29PM +0100, André Malo wrote:
> * Geoffrey Young <geoff@modperlcookbook.org> wrote:
> 
> > > However, is it wise to add a configure option for it?
> > 
> > how do you mean?  I was trying to make it just a compile time option,
> > similar to -DBIG_SECURITY_HOLE (which seems to me a bigger risk than
> > this).
> >  do you mean to require users to change a define in the code itself?
> 
> No no. I wanted to say "would it be wise, to add a configure option", such
> as --without-escaping-errorlog or so.

I don't think it's appropriate to add configure switches to turn off
security features: users may not understand the implications of the
switch if they just see it in the --help output.

CFLAGS=-DUNSAFE_LOG_ESCAPING ./configure

is just as easy to document as

./configure --disable-errorlog-escaping

in any case.

Regards,

joe

Mime
View raw message