I patched the 1.2.x branch to fix Bug #38374 "Validation skipped with Globals.CANCEL_KEY" and was planning to apply the same fix to the original RequestProcessor in the current trunk (1.3 series):
http://issues.apache.org/bugzilla/show_bug.cgi?id=38374 http://svn.apache.org/viewcvs?rev=377805&view=rev However Ted expressed the opnion that Bug 38374 was a feature and he would rather the change I made to the 1.2.x branch not go into 1.3.1 http://tinyurl.com/c3j7m My view is its a security hole and it needs to be fixed in the 1.2.x branch and 1.3 branch. So we need to either: 1) Decide its a security issue and fix this issue in the 1.3 series. 2) Decide its a feature and reverse out the change I made to the 1.2.x branch I'm proposing here that we apply the changes to the 1.3 RequestProcessor (I'm happy to do the change) for this issue. Niall --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
