On Wed, Oct 31, 2012 at 3:36 PM, Eric Jacobs <ejac...@bluehost.com> wrote: > On 10/31/2012 06:00 AM, Eric Covener wrote: >> >> In general that is the proper form -- but this particular issue is >> documented as a limitation: >> >> "Omitting this option should not be considered a security restriction, >> since symlink testing is subject to race conditions that make it >> circumventable." > > > Some users (like Bluehost) require the functionality of symlinks without the > possibility of server side vulnerabilities. Having the vulnerability > documented doesn't keep servers safe.
My point was that discussion of this particular issue does not need to be segregated to the private security list.