Thank you for pound, it's a really great software.
In pound's documenation, it is said that:
"Rather then change *Pound* to accept these characters (which could create
some serious issues with security on other systems) we have made this
behavior dependent on a compile-time switch. This is not accessible
through the config file - you'll have to add -DMSDAV to the CFLAGS in
the Makefile (or run configure --enable-msdav). You are free to do so,
but be aware of what the implications are!"
Could you please confirm that, if one enables webdav during
compilation, using "WebDAV 0" in the config file would not be enough
to DISABLE those dirty characters?
In order words, what is the real security impact of enabling webdav
during compilation? (considering one can disable it in the config).
I'm trying to get some background to discuss with debian's pound
package maintainers the possibility of enabling webdav by default in
compilation, and leaving "WebDAV 0" in the config file.
Currently, debian's pound package not being compiled with webdav, so
one must recompile the package in order to get that feature. Debian
developers argues that the upstream author should have had some good
reasons to not enabled that by default, so they are just using that.
I have patched ubuntu's pound package to use that feature, and this
package will probably go to the next version of that distribution, if
they accept it.