On Tue, Aug 12, 2008 at 7:17 PM, Chad <innocentkiller(a)gmail.com> wrote:
This being said, is a major performance impact worth
it? How
real a threat is this; is it _currently_ being exploited?
That's a pretty poor standard to use. If it's known to be *possible*
for someone to steal large numbers of admins' cookies and/or passwords
through some phishing scheme, it's of secondary concern whether anyone
happens to be doing it at the moment.
Currently it's not possible, just because all ZIP uploads are blocked.
This is of kind of suboptimally low granularity, is the problem. JAR
really has no mandatory distinctive headers or anything?