On 21 Nov 2013, at 23:46, Eric Wong <normalperson / yhbt.net> wrote:
> Tanaka Akira <akr / fsij.org> wrote:
>> 2013/11/22  <drbrain / ruby-lang.org>:
>>> drbrain 2013-11-22 08:27:30 +0900 (Fri, 22 Nov 2013)
>>>=20
>>>  New Revision: 43767
>>>=20
>>>  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=3Drev&revision=3D437=
67
>>>=20
>>>  Log:
>>>    * lib/rubygems:  Update to RubyGems master 50a8210.  Important =
changes
>>>      in this commit:
>>>=20
>>>      RubyGems now automatically checks for gem.deps.rb or Gemfile =
when
>>>      running ruby executables.  This behavior is similar to `bundle =
exec
>>>      rake`.  This change may be reverted before Ruby 2.1.0 if too =
many bugs
>>>      are found.
>>=20
>> I think that running ./Gemfile is a security risk.
>> It may match "CWE-114: Process Control".
>> http://cwe.mitre.org/data/definitions/114.html
>=20
> I agree with akr, this looks very scary.
>=20
> I clone + read code for many projects, but rarely /run/ the code =
because
> I'm still reviewing it and do not yet trust it to run.
>=20
> However, if I run any RubyGem executable in the working directory =
(e.g.
> dtas-ctl to control my music player), I could be loading that Gemfile
> code inadvertantly.  This is totally surprising and dangerous =
behavior.

Ok, I will revert it.=