Add documentation about random UUID for file uploads

Dev link: https://dev.gitlab.org/gitlab/gitlabhq/issues/2623

File uploads to any GitLab comment/description field receive a random UUID as a method of securing the file access. We need to document this fact in http://doc.gitlab.com/ce/security/README.html so users are aware of this. Based on our conversation in the referenced issue, we feel this is sufficiently secure method for file uploads.

@DouweM could you write a blurb about this? It seems you know your stuff.

Milestone changed to 8.3

@DouweM It would be great if you could help us write something about this. Even if it's just here in the comment and @axil and/or myself can translate that to docs. I got another inquiry about this so I'd like to get something posted soon.

@dblessing Apologies for the delay.

Images attached to issues or comments do not require authentication to be viewed if someone knows the direct URL. This direct URL contains a random 32-character ID that prevents unauthorized people from guessing the URL to an image containing sensitive information. We don't enable authentication because these images need to be visible in the body of notification emails, which are often read from email clients that are not authenticated with GitLab, like Outlook, Apple Mail, or the Mail app on your mobile device.

Note that non-image attachments do require authentication to be viewed.

Thanks @DouweM I didn't actually know that it's only images that are public.

@dblessing I didn't either until I just checked the source :)

mentioned in merge request !2055 (merged)

Status changed to closed by merge request !2055 (merged)

mentioned in commit 66706570

mentioned in merge request !14785