[Rubygems-developers] Executing code after installing gem

Charlie Savage cfis at savagexi.com
Tue Nov 25 11:28:36 EST 2008


> RubyGems is not designed for arbitrary code execution, which will be a
> security concern.

Except it already does by letting a developer specify a Rakefile in 
spec.extensions.  That's how I hacked around RubyGems to correctly 
install dependent dlls into the lib directory.

Not to mention the fact that once I have my gem installed, it can pretty 
much do what it wants.

Charlie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://rubyforge.org/pipermail/rubygems-developers/attachments/20081125/a43d5ff0/attachment-0001.bin>


More information about the Rubygems-developers mailing list