Tanaka Akira <akr / fsij.org> wrote: > 2013/11/22 <drbrain / ruby-lang.org>: > > drbrain 2013-11-22 08:27:30 +0900 (Fri, 22 Nov 2013) > > > > New Revision: 43767 > > > > http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=43767 > > > > Log: > > * lib/rubygems: Update to RubyGems master 50a8210. Important changes > > in this commit: > > > > RubyGems now automatically checks for gem.deps.rb or Gemfile when > > running ruby executables. This behavior is similar to `bundle exec > > rake`. This change may be reverted before Ruby 2.1.0 if too many bugs > > are found. > > I think that running ./Gemfile is a security risk. > It may match "CWE-114: Process Control". > http://cwe.mitre.org/data/definitions/114.html I agree with akr, this looks very scary. I clone + read code for many projects, but rarely /run/ the code because I'm still reviewing it and do not yet trust it to run. However, if I run any RubyGem executable in the working directory (e.g. dtas-ctl to control my music player), I could be loading that Gemfile code inadvertantly. This is totally surprising and dangerous behavior.