[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")

Eric Hodel drbrain at segment7.net
Fri Jan 19 13:27:35 EST 2007


On Jan 18, 2007, at 20:50, Jim Weirich wrote:
> Paul Duncan wrote:
> [...]
>> The gist of the output above is that if you pass RDoc a template  
>> (the -T
>> or --template command-line options) via the Gem specification  
>> file, it's
>> evaluated and _executed at _installation time_ as the  
>> _installation user_
>> (which is usually root on Unix systems).
>
> Would it be enough to disable the --template option from gemspecs?  I
> have no problem locking down the options that a gem author can specify
> for RDoc generation.  (I think the options should be site specific
> anyways, so all docs on my box have a consistent look.  I don't  
> care if
> the gem author doesn't like my choice of template).

I'm down with this.

-- 
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!



More information about the Rubygems-developers mailing list