-J all

[Cym13]

On Sunday, 10 June 2018 at 19:10:52 UTC, DigitalDesigns wrote:
> On Sunday, 10 June 2018 at 14:42:21 UTC, Basile B. wrote:
>> On Sunday, 10 June 2018 at 01:49:37 UTC, DigitalDesigns wrote:
>>> Please allow -J to specify that all subdirectories are to be 
>>> included! I'm having to include all subdirectories of my 
>>> library with J because I import each file and extract 
>>> information. It would be better to have something like
>>>
>>> -JC:\Lib\*
>>>
>>> rather than
>>>
>>> -JC:\Lib\Internal
>>> -JC:\Lib\Internal\OS
>>> -JC:\Lib\API
>>> -JC:\Lib\API\V1
>>> -JC:\Lib\API\V1\Templates
>>> ....
>>>
>>> ...
>>> ..
>>> .
>>
>> This is opened as an enhancement request now: 
>> https://issues.dlang.org/show_bug.cgi?id=18967. IIRC there was 
>> a security concern mentioned last time this was proposed, not 
>> 100% sure.
>
> Yeah, but -J was added for a security concern! So when does the 
> insanity end?

There's no contradiction nor insanity, you're saying the same 
thing he did: -J was added for a security concern.

> If it's such a big, e.g., to prevent root access then limit 
> asterisk usage to non root and maybe only a depth of 3.
>
> After all, if someone wanted access to sensitive areas just do 
> -JC:\Windows\System32.
>
> At some point one has to stop policing everything.

I'm not entirely sure what the threat model is, but it seems to 
me that we're not trying to protect against an user exposing 
sensitive areas. We're trying to protect against code that isn't 
trusted at compile time. I think the idea is to avoid allowing 
someone to import your config file with all passwords at 
compile-time so that it can use it or send it later at runtime to 
the attacker.

It's not a bad risk to consider but I wonder if that's the best 
solution we can find.