2013/11/22 <drbrain / ruby-lang.org>: > drbrain 2013-11-22 08:27:30 +0900 (Fri, 22 Nov 2013) > > New Revision: 43767 > > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=43767 > > Log: > * lib/rubygems: Update to RubyGems master 50a8210. Important changes > in this commit: > > RubyGems now automatically checks for gem.deps.rb or Gemfile when > running ruby executables. This behavior is similar to `bundle exec > rake`. This change may be reverted before Ruby 2.1.0 if too many bugs > are found. I think that running ./Gemfile is a security risk. It may match "CWE-114: Process Control". http://cwe.mitre.org/data/definitions/114.html Consider multi user environment. A malicious user can create /tmp/Gemfile. A victim may run ruby in /tmp eventually. malicious% echo 'raise "hahaha"' > /tmp/Gemfile victim# cd /tmp victim# ruby -e '' /tmp/Gemfile:1:in `load': hahaha (RuntimeError) from /home/ruby/tst1/lib/ruby/2.1.0/rubygems/request_set/gem_dependency_api.rb:193:in `instance_eval' from /home/ruby/tst1/lib/ruby/2.1.0/rubygems/request_set/gem_dependency_api.rb:193:in `load' from /home/ruby/tst1/lib/ruby/2.1.0/rubygems/request_set.rb:206:in `load_gemdeps' from /home/ruby/tst1/lib/ruby/2.1.0/rubygems.rb:1036:in `use_gemdeps' from /home/ruby/tst1/lib/ruby/2.1.0/rubygems.rb:1217:in `<top (required)>' from <internal:gem_prelude>:1:in `require' from <internal:gem_prelude>:1:in `<compiled>' Of course, the malicious user can write more dangerous code in /tmp/Gemfile. -- Tanaka Akira