> > On Fri, Jul 09, 2004 at 03:26:02PM -0500, Dallas L. Engelken wrote: > > > > The only thing that doesn't work with SQL prefs is defining new rules.. > > > > Body, header, full, etc. You can change the describe and score via SQL, > > but for some reason, new rules cannot be read in from SQL due to the > > timing of the call I believe. I haven't dug much deaper than that. > > > > It's a design decision, you can not define rules via SQL. Similar > security implications with allow_user_rules. >
well okay, but allow_user_rules works for flat file configs, but not sql configs.. maybe there needs to be an allow_sql_user_rules ? if you remove the ability for users to call "sa" eval in their rules, you remove the risk of running arbitrary code, right? This would have to be done at the user interface level though. Then you'd just have to "perl" eval the tests to catch the invalid regex's from stupid users. I guess they could also write a really bad regex and cause a DoS. Again, something the user interface could prevent by 'making it simple'.
