Document file upload random uuid security
This commit is contained in:
parent
4e5897f51e
commit
63a1a581e9
|
@ -4,4 +4,5 @@
|
||||||
- [Rack attack](rack_attack.md)
|
- [Rack attack](rack_attack.md)
|
||||||
- [Web Hooks and insecure internal web services](webhooks.md)
|
- [Web Hooks and insecure internal web services](webhooks.md)
|
||||||
- [Information exclusivity](information_exclusivity.md)
|
- [Information exclusivity](information_exclusivity.md)
|
||||||
- [Reset your root password](reset_root_password.md)
|
- [Reset your root password](reset_root_password.md)
|
||||||
|
- [User File Uploads](user_file_uploads.md)
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
# User File Uploads
|
||||||
|
|
||||||
|
Images attached to issues, merge requests or comments do not require authentication
|
||||||
|
to be viewed if someone knows the direct URL. This direct URL contains a random
|
||||||
|
32-character ID that prevents unauthorized people from guessing the URL to an
|
||||||
|
image containing sensitive information. We don't enable authentication because
|
||||||
|
these images need to be visible in the body of notification emails, which are
|
||||||
|
often read from email clients that are not authenticated with GitLab, like
|
||||||
|
Outlook, Apple Mail, or the Mail app on your mobile device.
|
||||||
|
|
||||||
|
Note that non-image attachments do require authentication to be viewed.
|
Loading…
Reference in New Issue