Add security section

Author: zachborboa

README.md

@@ -13,6 +13,7 @@ PHP Curl Class is an object-oriented wrapper of the PHP cURL extension that make
 - [Requirements](#requirements)
 - [Quick Start and Examples](#quick-start-and-examples)
 - [Available Methods](#available-methods)
+- [Security](#security)
 - [Contribute](#contribute)
 
 ---
@@ -279,6 +280,10 @@ MultiCurl::unsetHeader($key)
 MultiCurl::verbose($on = true, $output = STDERR)
 ```
 
+### Security
+
+See [SECURITY.md](https://github.com/php-curl-class/php-curl-class/blob/master/SECURITY.md).
+
 ### Contribute
 1. Check for open issues or open a new issue to start a discussion around a bug or feature.
 1. Fork the repository on GitHub to start making your changes.

SECURITY.md

@@ -0,0 +1,11 @@
+### Security
+
+* Don't blindly accept arbitrary urls. Curl supports many protocols including `FILE`. The following would show the contents of `file:///etc/passwd`.
+
+```php
+// https://www.example.com/fetch_page.php?url=file%3A%2F%2F%2Fetc%2Fpasswd
+$unsafe_url = $_GET['url']; // DANGER!
+$curl = new Curl();
+$curl->get($unsafe_url);
+echo $curl->response;
+```