[Rubygems-developers] Executing code after installing gem

Luis Lavena luislavena at gmail.com
Tue Nov 25 11:31:53 EST 2008


On Tue, Nov 25, 2008 at 2:28 PM, Charlie Savage <cfis at savagexi.com> wrote:
>> RubyGems is not designed for arbitrary code execution, which will be a
>> security concern.
>
> Except it already does by letting a developer specify a Rakefile in
> spec.extensions.  That's how I hacked around RubyGems to correctly install
> dependent dlls into the lib directory.

Point taken, but is a flaw, not intentional by design.

Talking in a sudoer powered environment, moving dlls do not apply,
which was the case Matt asked.

> Not to mention the fact that once I have my gem installed, it can pretty
> much do what it wants.

Yep, RubyGems opens the pandora box, having the power doesn't mean we
should abuse of it, so in the future when it gets fixed we don't rant
about loosing that cool feature ;-)

-- 
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams


More information about the Rubygems-developers mailing list