Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Document that we send emails to correct place (#1401)
There's a sneaky attack described in the article by John Gracey titled "Hacking GitHub with Unicode's dotless 'i'" (Nov 28, 2019), https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/ Basically, if you do case-insensitive matches, but then use the email address provided by an *attacker* to send the email, you might send it to the wrong place. We have *never* been vulnerable to this attack. Still, someone might wonder if we *are* vulnerable to it. Clearly document that we aren't vulnerable to it, and add additional comments to ensure that things stay this way. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
- Loading branch information
1 parent
ba3b30f
commit 29f09ae
Showing
3 changed files
with
22 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Style/CommentAnnotation: Annotation keywords like
Note
should be all upper case, followed by a colon, and a space, then a note describing the problem. (https://rubystyle.guide#annotate-keywords)