On 2015-01-06 08:03, Ganesh Sittampalam wrote:
On 06/01/2015 05:30, Greg Weber wrote:
When I suggested deprecation, I assumed that following a symlink was a desirable behavior for someone. If it is not and it is 100% the case that this behavior is a defect, then this is just a bugfix then deprecation is not needed.
My general feeling is that it is just a bug.
That's what I thought too -- it's a typical rookie mistake to forget to check if "isDirecory?" will return "true" for symlinks to directories. But the documentation actually states the expected behavior correctly -- it's not nearly explicit enough about how dangerous it is, but the documentation is technically correct. However, even so, this is CVE-worthy behavior on its own (as pointed out by Brandon), and should be removed pronto. Perhaps with new minor versions for all affected major versions (excellent point by Greg Weber), depending on how much work that is.