It is true that this issue was fixed in v2.1 but it still exists in previous versions of the API. I agree on the fact that this behavior has been well understood for some time but I'm not sure people is aware of this vulnerability, though.
I agree with Thierry's idea of documenting the vulnerability somewhere without changing the way Glance works. I also prefer to keep Glance the way it is today, if we all agree that documenting this is enough to close this bug.
It is true that this issue was fixed in v2.1 but it still exists in previous versions of the API. I agree on the fact that this behavior has been well understood for some time but I'm not sure people is aware of this vulnerability, though.
I agree with Thierry's idea of documenting the vulnerability somewhere without changing the way Glance works. I also prefer to keep Glance the way it is today, if we all agree that documenting this is enough to close this bug.
Thank you all!