Commit 70e3409a authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'shell-paths' into 'master'

More reasons why prefixing is good

Inspired by http://www.dwheeler.com/essays/filenames-in-shell.html

See merge request !1604
parents 6d1cc948 4efe3cf5
...@@ -139,6 +139,11 @@ path = File.join(repo_path, user_input) ...@@ -139,6 +139,11 @@ path = File.join(repo_path, user_input)
File.read(path) File.read(path)
``` ```
If you have to use user input a relative path, prefix `./` to the path.
Prefixing user-supplied paths also offers extra protection against paths
starting with `-` (see the discussion about using `--` above).
## Guard against path traversal ## Guard against path traversal
Path traversal is a security where the program (GitLab) tries to restrict user Path traversal is a security where the program (GitLab) tries to restrict user
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment