Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

box_source() makes me uncomfortable #189

Open
ijlyttle opened this issue Sep 26, 2020 · 2 comments
Open

box_source() makes me uncomfortable #189

ijlyttle opened this issue Sep 26, 2020 · 2 comments

Comments

@ijlyttle
Copy link
Member

ijlyttle commented Sep 26, 2020
edited
Loading

box_source() seems like a way to facilitate a security breach, given the possibility that the remote file may not be secured.

Thinking SQL injection, but using files.

If it were only me, I would consider a fast-track to deprecation (not to be considered before 0.3.6 release).

Are there users?

Thoughts?
@nathancday
Copy link
Member

I think of it as a shortcut for the use case of sourcing shared code. Sure you can source bad things, but I don't think sourcing itself is bad.

I'm not opposed to leaving this up to see if any users find it. Maybe we put a questioning tag on it in 3.6?

@ijlyttle
Copy link
Member Author

For me, the danger is that the code that seems too easy for the "sourced" code to change without the person running box_source() knowing about it.

That said, I am all for the "questioning" tag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nathancday @ijlyttle