From 69475d0c22c88c7b1991f8db64ddc8f2177ce3af Mon Sep 17 00:00:00 2001
From: Ana Cicconi <ana@headoo.com>
Date: Sat, 23 May 2015 11:44:46 +0200
Subject: [PATCH] Adding a caution to the getUploadRootDir() method

| Doc fix?      | yes
| New docs?     | no
| Applies to    | all
| Fixed tickets | #4177 [Doctrine] Security issue in handling file uploads with Doctrine
---
 cookbook/doctrine/file_uploads.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cookbook/doctrine/file_uploads.rst b/cookbook/doctrine/file_uploads.rst
index f9a2d7bb4d9..3929f262621 100644
--- a/cookbook/doctrine/file_uploads.rst
+++ b/cookbook/doctrine/file_uploads.rst
@@ -99,6 +99,13 @@ file.
     If you're using annotations to specify your validation rules (as shown
     in this example), be sure that you've enabled validation by annotation
     (see :ref:`validation configuration <book-validation-configuration>`).
+    
+.. caution::
+
+   If you use the getUploadRootDir() method, be aware that this will save 
+   the file inside the document root, which can be accessed by everyone. 
+   Consider placing it out of the document root and adding custom viewing 
+   logic when you need to secure the files.
 
 To handle the actual file upload in the form, use a "virtual" ``file`` field.
 For example, if you're building your form directly in a controller, it might