[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")
Eric Hodel
drbrain at segment7.net
Fri Jan 19 13:27:35 EST 2007
On Jan 18, 2007, at 20:50, Jim Weirich wrote:
> Paul Duncan wrote:
> [...]
>> The gist of the output above is that if you pass RDoc a template
>> (the -T
>> or --template command-line options) via the Gem specification
>> file, it's
>> evaluated and _executed at _installation time_ as the
>> _installation user_
>> (which is usually root on Unix systems).
>
> Would it be enough to disable the --template option from gemspecs? I
> have no problem locking down the options that a gem author can specify
> for RDoc generation. (I think the options should be site specific
> anyways, so all docs on my box have a consistent look. I don't
> care if
> the gem author doesn't like my choice of template).
I'm down with this.
--
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
I LIT YOUR GEM ON FIRE!
More information about the Rubygems-developers
mailing list