Merge pull request #611 from bosoxbill/doc-for-cve-2016-10545

Add language about how not to use Thor
rails · Jul 5, 2018 · 688c3f2 · 688c3f2
2 parents 0ecea7b + 345ee5a
commit 688c3f2
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -19,7 +19,13 @@ utilities.  It removes the pain of parsing command line options, writing
 build tool.  The syntax is Rake-like, so it should be familiar to most Rake
 users.
 
+Please note: Thor, by design, is a system tool created to allow seamless file and url
+access, which should not receive application user input. It relies on [open-uri][open-uri],
+which combined with application user input would provide a command injection attack
+vector.
+
 [rake]: https://github.com/ruby/rake
+[open-uri]: https://ruby-doc.org/stdlib-2.5.1/libdoc/open-uri/rdoc/index.html
 
 Installation
 ------------