https://issues.dlang.org/show_bug.cgi?id=15584
--- Comment #8 from Cédric Picard <cpic...@openmailbox.org> --- (In reply to Ketmar Dark from comment #7) > (In reply to Cédric Picard from comment #6) > > Otherwise > > why did we bother enforce that the compiler can't read or write arbitrary > > files during CTFE? > 'cause this breaks the rule of "same code should behave the same in compile > time and in runtime." That too, ok. > > I stand on my position, an attack is possible > of course, it is possible. i just don't see any reason in curing the > symphtoms in this case. If anything to bring some consistency. Security issues appart compiling the same source code with the same flags and the same files in the folder twice ends up with two completely different results. The first one will create a file elsewhere, at the emplacement targeted by the link while the second compilation will actually do what it should have from the beginning, remove the link and build the executable in place. That's inconsistent. Either we choose to trust the user and follow the link in all circumstances, either we consider that a link isn't special enough to avoid being replaced like any other file and we remove it. > anyway: let it be of "normal" severity then? I leave that point to your discretion. I'm a security guy, every vulnerability allowing remote access is critical for me, but it's the developper's job to decide whether it fits their security model or not. --