aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Christensen <jack@jackchristensen.com>2018-08-01 12:26:47 -0500
committerGitHub <noreply@github.com>2018-08-01 12:26:47 -0500
commitdd435da5b380fdc302570a9225f189e7e313f01f (patch)
tree081d077961f440a5a9e78934bc3b3a8a056bc3f8
parentbd01f9831cb6416b34f566167237697e666e5e41 (diff)
downloadrails-dd435da5b380fdc302570a9225f189e7e313f01f.tar.gz
rails-dd435da5b380fdc302570a9225f189e7e313f01f.tar.bz2
rails-dd435da5b380fdc302570a9225f189e7e313f01f.zip
Fix file upload location recommendation
Going one level downwards from Rails' /public directory would still be inside the public directory and therefore servable by the web server. Files should stored upwards of the public directory.
-rw-r--r--guides/source/security.md2
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index 4e12a831a9..9fbd252bb7 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -419,7 +419,7 @@ WARNING: _Source code in uploaded files may be executed when placed in specific
The popular Apache web server has an option called DocumentRoot. This is the home directory of the web site, everything in this directory tree will be served by the web server. If there are files with a certain file name extension, the code in it will be executed when requested (might require some options to be set). Examples for this are PHP and CGI files. Now think of a situation where an attacker uploads a file "file.cgi" with code in it, which will be executed when someone downloads the file.
-_If your Apache DocumentRoot points to Rails' /public directory, do not put file uploads in it_, store files at least one level downwards.
+_If your Apache DocumentRoot points to Rails' /public directory, do not put file uploads in it_, store files at least one level upwards.
### File Downloads