Message277334
I think this requires arbitrary code execution as a minimum - there's no way anyone would pass a user-provided value here - so the security implications are less interesting.
All we can really do is restrict the types accepted here, which I don't think is appropriate in a maintenance release. Possibly it's not too late to deprecate in 3.6 for removal in 3.8, but it is certainly a documented feature. Checking a handle for validity is not part of user mode API, as far as I know - EAFP. |
|
Date |
User |
Action |
Args |
2016-09-24 20:58:29 | steve.dower | set | recipients:
+ steve.dower, christian.heimes, tim.golden, zach.ware, eryksun, JohnLeitch |
2016-09-24 20:58:29 | steve.dower | set | messageid: <1474750709.28.0.712071365473.issue24201@psf.upfronthosting.co.za> |
2016-09-24 20:58:29 | steve.dower | link | issue24201 messages |
2016-09-24 20:58:28 | steve.dower | create | |
|