summaryrefslogtreecommitdiff
path: root/doc/development
diff options
context:
space:
mode:
authorJacob Vosmaer <contact@jacobvosmaer.nl>2015-02-26 18:25:59 +0100
committerJacob Vosmaer <contact@jacobvosmaer.nl>2015-02-26 18:25:59 +0100
commit4efe3cf5569045c3f115777a448c042ed3ba1d22 (patch)
tree606d775db7842eac80303aa01bf29c564563762a /doc/development
parentf980827ba65c1237fca74ccb4452b78785d2ce1b (diff)
downloadgitlab-ce-4efe3cf5569045c3f115777a448c042ed3ba1d22.tar.gz
More reasons why prefixing is good
Inspired by http://www.dwheeler.com/essays/filenames-in-shell.html
Diffstat (limited to 'doc/development')
-rw-r--r--doc/development/shell_commands.md5
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/development/shell_commands.md b/doc/development/shell_commands.md
index 42f17e19536..821027f43fa 100644
--- a/doc/development/shell_commands.md
+++ b/doc/development/shell_commands.md
@@ -139,6 +139,11 @@ path = File.join(repo_path, user_input)
File.read(path)
```
+If you have to use user input a relative path, prefix `./` to the path.
+
+Prefixing user-supplied paths also offers extra protection against paths
+starting with `-` (see the discussion about using `--` above).
+
## Guard against path traversal
Path traversal is a security where the program (GitLab) tries to restrict user