[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")
Jim Weirich
jim at weirichhouse.org
Thu Jan 18 23:50:29 EST 2007
Paul Duncan wrote:
[...]
> The gist of the output above is that if you pass RDoc a template (the -T
> or --template command-line options) via the Gem specification file, it's
> evaluated and _executed at _installation time_ as the _installation user_
> (which is usually root on Unix systems).
Would it be enough to disable the --template option from gemspecs? I
have no problem locking down the options that a gem author can specify
for RDoc generation. (I think the options should be site specific
anyways, so all docs on my box have a consistent look. I don't care if
the gem author doesn't like my choice of template).
-- Jim Weirich
More information about the Rubygems-developers
mailing list