From d6702055cbeed566e426c4c8a266f360d1824c39 Mon Sep 17 00:00:00 2001
From: Dan Croak <dan@thoughtbot.com>
Date: Tue, 10 Sep 2013 20:20:35 -0700
Subject: [PATCH] Add only trusted projects' bin directory to $PATH

Assuming the binstubs for a project are in the local bin/ directory, you
can even go a step further to add the directory to shell $PATH so that
rspec can be invoked without the bin/ prefix:

    export PATH="./bin:$PATH"

Doing so on a system that other people have write access to
(such as a shared host) is a security risk:

https://github.com/sstephenson/rbenv/issues/309

The `.git/safe` convention addresses the security problem:

https://twitter.com/tpope/status/165631968996900865

Put this in `zshenv` because:

http://zsh.sourceforge.net/Intro/intro_3.html

> `.zshenv' is sourced on all invocations of the shell, unless the -f
> option is set. It should contain commands to set the command search
> path.

Load `zshenv.local` config at the end of the file so that users can
extend their `zshenv` needs in their personal dotfiles using `rcup`.
---
 zshenv | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 zshenv

diff --git a/zshenv b/zshenv
new file mode 100644
index 0000000000..2ee668f5f6
--- /dev/null
+++ b/zshenv
@@ -0,0 +1,5 @@
+# mkdir .git/safe in the root of repositories you trust
+export PATH=".git/safe/../../bin:$PATH"
+
+# Local config
+[[ -f ~/.zshenv.local ]] && source ~/.zshenv.local