#63 path disclosure in .make.log files

[Lee Worden]

they tell the world where our PE cache is located. This is not ideal (http://hakipedia.com/index.php/Full_Path_Disclosure), though in this case it's not clear whether knowledge of the cache location could be used to do anything bad, since it should be separate from the web server files and other sensitive things.

But it would be safer, and less cluttery as well, if the full path were not reported.

It should be possible to stop pe-make and make from directly reporting the absolute paths they are using. There's no good way to stop arbitrary executables from reporting their absolute locations, though, so a full solution would probably require a global search and replace, unfortunately, which always carries the risk of corrupting some innocent data that should be left alone.

I suspect that a complete solution would require global string replacing on all output files, that it is too undesirable and not worth the hypothetical benefit, and that we can remove the obvious disclosures but will not be able to keep a mischievous user from finding out where the cache is.