README.md in backticks-0.4.0 vs README.md in backticks-0.5.0
- old
+ new
@@ -109,9 +109,21 @@
`echo Ruby lets me shoot myself in the foot`
```
If you do this, I will hunt you down and scoff at you. You have been warned!
+## Security
+
+Backticks avoids using your OS shell, which helps prevent security bugs.
+This also means that you can't pass strings such as "$HOME" to commands;
+Backticks does not perform shell substitution. Pass ENV['HOME'] instead.
+
+Be careful about the commands you pass to Backticks! Never run commands that
+you read from an untrusted source, e.g. the network.
+
+In the future, Backticks may integrate with Ruby's $SAFE level to provide smart
+escaping and shell safety.
+
## Development
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).