https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28200 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- (In reply to Martin Renvoize from comment #10)
I've not read enough of th background to understand why support was dropped for security reasons in the upstream library? It feels like if they've disabled it by default for a reason we shouldn't just re-enable it without considering the possible security ramifications. That said, I wouldn't be opposed to tying that constructor line to yet another system preference that defaults to enabled for upgrades and disabled for new installs.. That way we don't break anyone's setups but encourage the more secure form going forward?
Personally, I think their labelling it as a "security" change was overblown. My understanding is that they dropped support for the abbreviated format because it *might* be too easy to accidentally specify a more permissive range than one intends. I can see how 10.10 is much less explicit than 10.10.0.0/16 but I don't really see the problem. But at this point in the discussion I am OK with Koha dropping support for the abbreviated form. I suppose the question is do we leave it as a breaking change or do we automagically fix people's configuration? I don't mind manually fixing all my instances, but I also know this stuff really well. It looks like HEA doesn't capture the relevant ILS-DI syspref (https://hea.koha-community.org/systempreferences) so I don't know what people have used... -- You are receiving this mail because: You are watching all bug changes.