diff options
| author | Jack Christensen <jack@jackchristensen.com> | 2018-08-01 12:26:47 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-01 12:26:47 -0500 |
| commit | dd435da5b380fdc302570a9225f189e7e313f01f (patch) | |
| tree | 081d077961f440a5a9e78934bc3b3a8a056bc3f8 | |
| parent | bd01f9831cb6416b34f566167237697e666e5e41 (diff) | |
| download | rails-dd435da5b380fdc302570a9225f189e7e313f01f.tar.gz rails-dd435da5b380fdc302570a9225f189e7e313f01f.tar.bz2 rails-dd435da5b380fdc302570a9225f189e7e313f01f.zip | |
Fix file upload location recommendation
Going one level downwards from Rails' /public directory would still be inside the public directory and therefore servable by the web server. Files should stored upwards of the public directory.
| -rw-r--r-- | guides/source/security.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 4e12a831a9..9fbd252bb7 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -419,7 +419,7 @@ WARNING: _Source code in uploaded files may be executed when placed in specific The popular Apache web server has an option called DocumentRoot. This is the home directory of the web site, everything in this directory tree will be served by the web server. If there are files with a certain file name extension, the code in it will be executed when requested (might require some options to be set). Examples for this are PHP and CGI files. Now think of a situation where an attacker uploads a file "file.cgi" with code in it, which will be executed when someone downloads the file. -_If your Apache DocumentRoot points to Rails' /public directory, do not put file uploads in it_, store files at least one level downwards. +_If your Apache DocumentRoot points to Rails' /public directory, do not put file uploads in it_, store files at least one level upwards. ### File Downloads |