@eslerm thanks for reporting this upstream, will follow-up to any discussion when I get added.
Just keep in mind that this isn't a vulnerability in upstream edk2 codebase in the strict sense, as it only affects you if you specifically opt-in to certain configurations in your builds. These being insecure should really be documented by upstream to avoid others falling into the trap however.
@eslerm thanks for reporting this upstream, will follow-up to any discussion when I get added.
Just keep in mind that this isn't a vulnerability in upstream edk2 codebase in the strict sense, as it only affects you if you specifically opt-in to certain configurations in your builds. These being insecure should really be documented by upstream to avoid others falling into the trap however.