- First reaction to bug #387. This version has checked MapUrl mappings.

1 files changed, 16 insertions, 1 deletions

diff --git a/README b/README
index 3bb495a..6ca7176 100644
--- a/README
+++ b/README
@@ -151,4 +151,19 @@ build. It is only neccessary if the localized strings have changed or
 if translations have been added. So if one of above is true you can
 regenerate i18n-generated.h with the make target 'generate-i18n' prior
 to creating the live plugin. In this case you need the CPAN perl
-module Locale::PO installed on your system.
\ No newline at end of file
+module Locale::PO installed on your system.
+
+
+Security consideratios
+======================
+
+Live uses the tntnet MapUrl mechanism to map different request urls
+to tntnet components. One component 'content.ecpp' delivers files
+found in the file system. When given the wrong 'path' it could
+retrieve any file from the server where live runs on.  Therefore
+content.ecpp needs to be enhanced to check the paths before returning
+files.  A second measure against missuse is to limit the mappings from
+MapUrl to only valid files. In the current version this approach has
+been taken. But due to the 'dificulty' to fully understand regular
+expressions, this might get spoiled again by 'unchecked' code
+contribution.