On 22 Nov 2013, at 10:25, Eric Hodel <drbrain / segment7.net> wrote: > On 21 Nov 2013, at 23:46, Eric Wong <normalperson / yhbt.net> wrote: >> Tanaka Akira <akr / fsij.org> wrote: >>> I think that running ./Gemfile is a security risk. >>> It may match "CWE-114: Process Control". >>> http://cwe.mitre.org/data/definitions/114.html >> >> I agree with akr, this looks very scary. >> >> I clone + read code for many projects, but rarely /run/ the code because >> I'm still reviewing it and do not yet trust it to run. >> >> However, if I run any RubyGem executable in the working directory (e.g. >> dtas-ctl to control my music player), I could be loading that Gemfile >> code inadvertantly. This is totally surprising and dangerous behavior. > > Ok, I will revert it. Done with r43806