Re: GTK+-1.2.9 Released

[Valdis . Kletnieks]

On Mon, 05 Mar 2001 14:10:29 EST, Havoc Pennington said:
> Right. Adding something like a GTK_ALLOW_INSECURE environment variable
> doesn't seem like a terrible idea, though it's too late to do so for
> 1.2.9.

Wrong.

A hacker can just say 'export GTK_ALLOW_INSECURE' and then run his exploit.

A better solution would be to have a global variable inside the GTK libs
that the application itself could set if it was willing to take the risks.

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

PGP signature