summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@gnu.kitenet.net>2009-02-09 16:04:33 -0500
committerJoey Hess <joey@gnu.kitenet.net>2009-02-09 16:04:33 -0500
commit9a84181ad9bbef5bdc4a9ecb3160994f79d8b9cb (patch)
tree53e6310b86bb20b5d026be12a863f89c3e2eff60
parentbadc6c229f47964f5750a55a26204d847b33b32a (diff)
document writefile symlink checks
-rw-r--r--doc/plugins/write.mdwn10
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/plugins/write.mdwn b/doc/plugins/write.mdwn
index 99eea3d16..1a119b99b 100644
--- a/doc/plugins/write.mdwn
+++ b/doc/plugins/write.mdwn
@@ -629,6 +629,16 @@ A failure to write the file will result in it dying with an error.
If the destination directory doesn't exist, it will first be created.
+The filename and directory are separate parameters because of
+some security checks done to avoid symlink attacks. Before writing a file,
+it checks to make sure there's not a symlink with its name, to avoid
+following the symlink. If the filename parameter includes a subdirectory
+to put the file in, it also checks if that subdirectory is a symlink, etc.
+The directory parameter, however, is not checked for symlinks. So,
+generally the directory parameter is a trusted toplevel directory like
+the srcdir or destdir, and any subdirectories of this are included in the
+filename parameter.
+
#### `will_render($$)`
Given a page name and a destination file name (not including the base