On Monday 25 August 2008 17:28, Thomas Goirand wrote: > Second, do you guys think that setting the variable to DEBUG=0 by > default, then writing a BIG BIG BIG warning next to it in the code is > enough? Like: "WARNING: high security risk here if you set to DEBUG=1, > high risk of symlink attack" then explaining how it works to hack? > That's what I would do, as I don't want to rewrite the entire file that > by the way works pretty well.
First, I think it's always a good idea not to enable DEBUG by default. Second, I don't think that it requires a "rewrite of the entire file" to fix it. Using PHP's tempnam() function to get the filenames instead of the hardcoded path names with PID is a change of just a few lines. So I propose to do both. cheers, Thijs
pgpmMtTUs8YqJ.pgp
Description: PGP signature