Changing the set/get location policies default to admin only is not a bad idea, but that's a different patch (master only).
For the (backportable) vulnerability fix, we ideally need something which would close the hole without chaging behavior for "normal" users. Are there valid use cases for specifying a file:// location ? If not, I think having a v1-style check in v2 is the simplest solution.
Changing the set/get location policies default to admin only is not a bad idea, but that's a different patch (master only).
For the (backportable) vulnerability fix, we ideally need something which would close the hole without chaging behavior for "normal" users. Are there valid use cases for specifying a file:// location ? If not, I think having a v1-style check in v2 is the simplest solution.