[ruby-core:58507] Re: [ruby-cvs:50910] drbrain:r43767 (trunk): * lib/rubygems: Update to RubyGems master 50a8210. Important changes

< ^ > P N |<>| ^ _>< --- | ~ ...Help

On 22 Nov 2013, at 10:25, Eric Hodel <drbrain / segment7.net> wrote:
> On 21 Nov 2013, at 23:46, Eric Wong <normalperson / yhbt.net> wrote:
>> Tanaka Akira <akr / fsij.org> wrote:
>>> I think that running ./Gemfile is a security risk.
>>> It may match "CWE-114: Process Control".
>>> http://cwe.mitre.org/data/definitions/114.html
>> 
>> I agree with akr, this looks very scary.
>> 
>> I clone + read code for many projects, but rarely /run/ the code because
>> I'm still reviewing it and do not yet trust it to run.
>> 
>> However, if I run any RubyGem executable in the working directory (e.g.
>> dtas-ctl to control my music player), I could be loading that Gemfile
>> code inadvertantly.  This is totally surprising and dangerous behavior.
> 
> Ok, I will revert it.

Done with r43806