Merge pull request #611 from bosoxbill/doc-for-cve-2016-10545

rafaelfranca · web-flow · commit 688c3f2f793c · 2018-07-05T15:08:40.000-04:00
Add language about how not to use Thor
diff --git a/README.md b/README.md
@@ -19,7 +19,13 @@ utilities.  It removes the pain of parsing command line options, writing
 build tool.  The syntax is Rake-like, so it should be familiar to most Rake
 users.
 
+Please note: Thor, by design, is a system tool created to allow seamless file and url
+access, which should not receive application user input. It relies on [open-uri][open-uri],
+which combined with application user input would provide a command injection attack
+vector.
+
 [rake]: https://github.com/ruby/rake
+[open-uri]: https://ruby-doc.org/stdlib-2.5.1/libdoc/open-uri/rdoc/index.html
 
 Installation
 ------------
