[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")
drbrain at segment7.net
Wed Jan 17 00:42:45 EST 2007
On Jan 16, 2007, at 20:05, Paul Duncan wrote:
> * Eric Hodel (drbrain at segment7.net) wrote:
>> The RDoc tool doesn't eval anything, so I think generating
>> documentation is safe. (Of course, I'm not 100% certain you can't
>> get code eval'd by running RDoc on it, only 99%)
> This is simply not true; any code in an RDoc documentation template is
> executed at install-time by the installation user (which, again, is
> usually root on Unix systems). Here's the excerpt from the example I
> sent previously:
Next time I'll bother to read your email instead of making assumptions.
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
I LIT YOUR GEM ON FIRE!
More information about the Rubygems-developers