diff options
author | Drew Blessing <drew@gitlab.com> | 2015-12-10 10:24:08 -0600 |
---|---|---|
committer | Drew Blessing <drew@gitlab.com> | 2015-12-10 10:24:08 -0600 |
commit | 63a1a581e937ff6d21e7e6ca4774b7907c6a0c1b (patch) | |
tree | 6afb645f97aeef8f054db0afe353e3e6dabb602f /doc | |
parent | 4e5897f51ef97d7c3ff6c57f81521f552979a3da (diff) | |
download | gitlab-ce-63a1a581e937ff6d21e7e6ca4774b7907c6a0c1b.tar.gz |
Document file upload random uuid security
Diffstat (limited to 'doc')
-rw-r--r-- | doc/security/README.md | 3 | ||||
-rw-r--r-- | doc/security/user_file_uploads.md | 11 |
2 files changed, 13 insertions, 1 deletions
diff --git a/doc/security/README.md b/doc/security/README.md index 473f3632dcd..fba6013d9c1 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -4,4 +4,5 @@ - [Rack attack](rack_attack.md) - [Web Hooks and insecure internal web services](webhooks.md) - [Information exclusivity](information_exclusivity.md) -- [Reset your root password](reset_root_password.md)
\ No newline at end of file +- [Reset your root password](reset_root_password.md) +- [User File Uploads](user_file_uploads.md) diff --git a/doc/security/user_file_uploads.md b/doc/security/user_file_uploads.md new file mode 100644 index 00000000000..98493d33b00 --- /dev/null +++ b/doc/security/user_file_uploads.md @@ -0,0 +1,11 @@ +# User File Uploads + +Images attached to issues, merge requests or comments do not require authentication +to be viewed if someone knows the direct URL. This direct URL contains a random +32-character ID that prevents unauthorized people from guessing the URL to an +image containing sensitive information. We don't enable authentication because +these images need to be visible in the body of notification emails, which are +often read from email clients that are not authenticated with GitLab, like +Outlook, Apple Mail, or the Mail app on your mobile device. + +Note that non-image attachments do require authentication to be viewed. |