[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")

Jim Weirich jim at weirichhouse.org
Thu Jan 18 23:50:29 EST 2007

Paul Duncan wrote:
> The gist of the output above is that if you pass RDoc a template (the -T
> or --template command-line options) via the Gem specification file, it's
> evaluated and _executed at _installation time_ as the _installation user_
> (which is usually root on Unix systems).

Would it be enough to disable the --template option from gemspecs?  I 
have no problem locking down the options that a gem author can specify 
for RDoc generation.  (I think the options should be site specific 
anyways, so all docs on my box have a consistent look.  I don't care if 
the gem author doesn't like my choice of template).

-- Jim Weirich

More information about the Rubygems-developers mailing list