that is exactly why i implemented the
fs_overpath feature. it defends against the above and similar attacks. BUTT @blowFish took a shit on the feature, and removed it — 1.3 is AWESOME(TM)(R)(C).1 now, u'd think @blowFish'd learn, but i guess not, and the feature won't be re-added.
in the update, a concrete attack path has been fixed. yet i still conceptualize a similar, concrete attack being possible.
2 actually, there's no 1.3 to speak about yet.