diff options
author | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-03-03 00:37:10 +0300 |
---|---|---|
committer | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-03-03 00:37:10 +0300 |
commit | 70e3409a502676ee2ab80be06e00137ac4faee03 (patch) | |
tree | 26f93280d1695330a1dea6c27197a354247d5eb3 /doc | |
parent | 6d1cc9484949f5a000d78e48dda51d1009c3ef10 (diff) | |
parent | 4efe3cf5569045c3f115777a448c042ed3ba1d22 (diff) |
Merge branch 'shell-paths' into 'master'
More reasons why prefixing is good
Inspired by http://www.dwheeler.com/essays/filenames-in-shell.html
See merge request !1604
Diffstat (limited to 'doc')
-rw-r--r-- | doc/development/shell_commands.md | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/development/shell_commands.md b/doc/development/shell_commands.md index 42f17e19536..821027f43fa 100644 --- a/doc/development/shell_commands.md +++ b/doc/development/shell_commands.md @@ -139,6 +139,11 @@ path = File.join(repo_path, user_input) File.read(path) ``` +If you have to use user input a relative path, prefix `./` to the path. + +Prefixing user-supplied paths also offers extra protection against paths +starting with `-` (see the discussion about using `--` above). + ## Guard against path traversal Path traversal is a security where the program (GitLab) tries to restrict user |