[Rubygems-developers] Need to release 0.9.1 due to security exploit
Eric Hodel
drbrain at segment7.net
Tue Jan 16 22:05:36 EST 2007
On Jan 16, 2007, at 14:11, Paul Duncan wrote:
> * Eric Hodel (drbrain at segment7.net) wrote:
>> On Jan 12, 2007, at 22:58, Paul Duncan wrote:
>>> * Eric Hodel (drbrain at segment7.net) wrote:
> [snipped]
>>>> RubyGems does not check installation paths for gems before writing
>>>> files.
>>>
>>> The potential security problems with RubyGems are actually much
>>> worse
>>> than that. Documentation and tests are executed as the user
>>> doing the
>>> install (which, as you said, is usually root). That means I can
>>> embed
>>> arbitrary Ruby code in either the documentation template and it will
>>> usually be run as root. For example:
>>
>> I don't think there's an easy way around this one.
>
> Easy is certainly subjective, but there are a couple ways to "fix" the
> documentation hole:
Currently no user-generated code is run to create the documentation.
The RDoc tool doesn't eval anything, so I think generating
documentation is safe. (Of course, I'm not 100% certain you can't
get code eval'd by running RDoc on it, only 99%)
Running unit tests and building extensions is less-safe.
--
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
I LIT YOUR GEM ON FIRE!
More information about the Rubygems-developers
mailing list