[Pkg-puppet-devel] [facter] 80/180: (FACT-480) Remove current directory from Ruby load path.

[Stig Sandbeck Mathisen]

This is an automated email from the git hooks/post-receive script.

ssm pushed a commit to branch master
in repository facter.

commit 849b4ccf8c65fb6dba69d40d7c91db413fb70060
Author: Peter Huene <peter.huene at puppetlabs.com>
Date:   Tue May 6 14:28:08 2014 -0700

    (FACT-480) Remove current directory from Ruby load path.
    
    The current directory ('.') is on the load path for Ruby 1.8.7.
    This is a security vulnerability as it allows arbitrary code loading if
    users create ruby source files with names that correspond to those that
    facter is trying to load.
    
    The fix is to explicitly remove '.' from the load path before any code
    is loaded by facter.
---
 bin/facter | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bin/facter b/bin/facter
index 0616157..7aec067 100755
--- a/bin/facter
+++ b/bin/facter
@@ -1,5 +1,9 @@
 #!/usr/bin/env ruby
 
+# For security reasons, ensure that '.' is not on the load path
+# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
+$LOAD_PATH.delete '.'
+
 # Bundler and rubygems maintain a set of directories from which to
 # load gems. If Bundler is loaded, let it determine what can be
 # loaded. If it's not loaded, then use rubygems. But do this before

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-puppet/facter.git