On Tue, 13 Sep 2016, John Dougrez-Lewis wrote:
Surely the security vulnerability could have been fixed by disallowing
"file://" variants in the URL rather than removing the feature altogether?
Or were there other implementation issues relating to the fileUrl feature
that meant it was best removed ?
As the fetch is done by the server, it could allow you to fetch documents
that you as a user couldn't see/access/reach but the server could. It also
has some denial of service risks too, plus doesn't have things you want
from a web spider like pools / limits / robots.txt acceptance etc.
Nick
