-
David A. Wheeler authored
There's a sneaky attack described in the article by John Gracey titled "Hacking GitHub with Unicode's dotless 'i'" (Nov 28, 2019), https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/ Basically, if you do case-insensitive matches, but then use the email address provided by an *attacker* to send the email, you might send it to the wrong place. We have *never* been vulnerable to this attack. Still, someone might wonder if we *are* vulnerable to it. Clearly document that we aren't vulnerable to it, and add additional comments to ensure that things stay this way. Signed-off-by:
David A. Wheeler <dwheeler@dwheeler.com>
David A. Wheeler authoredThere's a sneaky attack described in the article by John Gracey titled "Hacking GitHub with Unicode's dotless 'i'" (Nov 28, 2019), https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/ Basically, if you do case-insensitive matches, but then use the email address provided by an *attacker* to send the email, you might send it to the wrong place. We have *never* been vulnerable to this attack. Still, someone might wonder if we *are* vulnerable to it. Clearly document that we aren't vulnerable to it, and add additional comments to ensure that things stay this way. Signed-off-by:
After you've reviewed these contribution guidelines, you'll be all set to
contribute to this project.
Loading