-J all
Cym13
cpicard at openmailbox.org
Mon Jun 11 05:15:05 UTC 2018
On Sunday, 10 June 2018 at 19:10:52 UTC, DigitalDesigns wrote:
> On Sunday, 10 June 2018 at 14:42:21 UTC, Basile B. wrote:
>> On Sunday, 10 June 2018 at 01:49:37 UTC, DigitalDesigns wrote:
>>> Please allow -J to specify that all subdirectories are to be
>>> included! I'm having to include all subdirectories of my
>>> library with J because I import each file and extract
>>> information. It would be better to have something like
>>>
>>> -JC:\Lib\*
>>>
>>> rather than
>>>
>>> -JC:\Lib\Internal
>>> -JC:\Lib\Internal\OS
>>> -JC:\Lib\API
>>> -JC:\Lib\API\V1
>>> -JC:\Lib\API\V1\Templates
>>> ....
>>>
>>> ...
>>> ..
>>> .
>>
>> This is opened as an enhancement request now:
>> https://issues.dlang.org/show_bug.cgi?id=18967. IIRC there was
>> a security concern mentioned last time this was proposed, not
>> 100% sure.
>
> Yeah, but -J was added for a security concern! So when does the
> insanity end?
There's no contradiction nor insanity, you're saying the same
thing he did: -J was added for a security concern.
> If it's such a big, e.g., to prevent root access then limit
> asterisk usage to non root and maybe only a depth of 3.
>
> After all, if someone wanted access to sensitive areas just do
> -JC:\Windows\System32.
>
> At some point one has to stop policing everything.
I'm not entirely sure what the threat model is, but it seems to
me that we're not trying to protect against an user exposing
sensitive areas. We're trying to protect against code that isn't
trusted at compile time. I think the idea is to avoid allowing
someone to import your config file with all passwords at
compile-time so that it can use it or send it later at runtime to
the attacker.
It's not a bad risk to consider but I wonder if that's the best
solution we can find.
More information about the Digitalmars-d
mailing list