[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")

Eric Hodel drbrain at segment7.net
Wed Jan 17 00:42:45 EST 2007


On Jan 16, 2007, at 20:05, Paul Duncan wrote:
> * Eric Hodel (drbrain at segment7.net) wrote:
>> The RDoc tool doesn't eval anything, so I think generating
>> documentation is safe.  (Of course, I'm not 100% certain you can't
>> get code eval'd by running RDoc on it, only 99%)
>
> This is simply not true; any code in an RDoc documentation template is
> executed at install-time by the installation user (which, again, is
> usually root on Unix systems).  Here's the excerpt from the example I
> sent previously:

I'm sorry.

Next time I'll bother to read your email instead of making assumptions.

-- 
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!



More information about the Rubygems-developers mailing list