From 4efe3cf5569045c3f115777a448c042ed3ba1d22 Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Thu, 26 Feb 2015 18:25:59 +0100 Subject: [PATCH] More reasons why prefixing is good Inspired by http://www.dwheeler.com/essays/filenames-in-shell.html --- doc/development/shell_commands.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/development/shell_commands.md b/doc/development/shell_commands.md index 42f17e19536..821027f43fa 100644 --- a/doc/development/shell_commands.md +++ b/doc/development/shell_commands.md @@ -139,6 +139,11 @@ path = File.join(repo_path, user_input) File.read(path) ``` +If you have to use user input a relative path, prefix `./` to the path. + +Prefixing user-supplied paths also offers extra protection against paths +starting with `-` (see the discussion about using `--` above). + ## Guard against path traversal Path traversal is a security where the program (GitLab) tries to restrict user