Attachment 902394 Details for Bug 1101346 – revised facter-2.0.1 patch

[patch] revised facter-2.0.1 patch

facter-2.0.1-remove-current-directory-from-Ruby-load-path.patch (text/plain), 1.05 KB, created by Murray McAllister on 2014-06-05 04:57:02 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Murray McAllister

Created: 2014-06-05 04:57:02 UTC

Size: 1.05 KB

patch

obsolete

>From 849b4ccf8c65fb6dba69d40d7c91db413fb70060 Mon Sep 17 00:00:00 2001
>From: Peter Huene <peter.huene@puppetlabs.com>
>Date: Tue, 6 May 2014 14:28:08 -0700
>Subject: [PATCH] (FACT-480) Remove current directory from Ruby load path.
>
>The current directory ('.') is on the load path for Ruby 1.8.7.
>This is a security vulnerability as it allows arbitrary code loading if
>users create ruby source files with names that correspond to those that
>facter is trying to load.
>
>The fix is to explicitly remove '.' from the load path before any code
>is loaded by facter.
>
>diff --git a/bin/facter b/bin/facter
>index 0616157..7aec067 100755
>--- a/bin/facter
>+++ b/bin/facter
>@@ -1,5 +1,9 @@
> #!/usr/bin/env ruby
> 
>+# For security reasons, ensure that '.' is not on the load path
>+# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
>+$LOAD_PATH.delete '.'
>+
> # Bundler and rubygems maintain a set of directories from which to
> # load gems. If Bundler is loaded, let it determine what can be
> # loaded. If it's not loaded, then use rubygems. But do this before
>-- 
>1.8.4.3
>

Actions: View | Diff

Attachments on bug 1101346: 899370 | 899371 | 899372 | 899373 | 902394 | 902395 | 902396 | 902397 | 902398