Dvips has *always* searched in the current directory first for virtually all files, config files, tfm files, vf files, figure files, header files, etc. So all the blame on that goes to me. This was intended as a feature; users sometimes want to override something, much like TeX searches for input files starting in the current directory and then moving on to the system directories and so on.
>From a security standpoint, this is clearly bad, as you say. But I'm not sure disabling search for config files in . is, at this point, a great solution. I'm sure many people use this extensively, and we will totally break them if we make this change. For instance, what about .dvipsrc, which is *intended* as a place for the user to specify default config options for dvips, and it is searched for in $HOME, which is often the current working directory of people running dvips as well? Man, what a mess.
