On 21 Nov 2013, at 23:46, Eric Wong <normalperson / yhbt.net> wrote: > Tanaka Akira <akr / fsij.org> wrote: >> 2013/11/22 <drbrain / ruby-lang.org>: >>> drbrain 2013-11-22 08:27:30 +0900 (Fri, 22 Nov 2013) >>>=20 >>> New Revision: 43767 >>>=20 >>> http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=3Drev&revision=3D437= 67 >>>=20 >>> Log: >>> * lib/rubygems: Update to RubyGems master 50a8210. Important = changes >>> in this commit: >>>=20 >>> RubyGems now automatically checks for gem.deps.rb or Gemfile = when >>> running ruby executables. This behavior is similar to `bundle = exec >>> rake`. This change may be reverted before Ruby 2.1.0 if too = many bugs >>> are found. >>=20 >> I think that running ./Gemfile is a security risk. >> It may match "CWE-114: Process Control". >> http://cwe.mitre.org/data/definitions/114.html >=20 > I agree with akr, this looks very scary. >=20 > I clone + read code for many projects, but rarely /run/ the code = because > I'm still reviewing it and do not yet trust it to run. >=20 > However, if I run any RubyGem executable in the working directory = (e.g. > dtas-ctl to control my music player), I could be loading that Gemfile > code inadvertantly. This is totally surprising and dangerous = behavior. Ok, I will revert it.=