Security Concern with the gem system...
Stephen Blackstone
Suppose I wrote a gem.. Lets call it "rals". It does the following
1) something Malicious
2) Installs Rails
For bonus points, it would also uninstall itself and try to suppress "rals successfully installed". (perhaps it spawns a new thread and then kills the gem process)...
A simple typo could lead to a massive security breach on the users system. Its particularly bad that many people do "sudo gem install" so the process is running as root...
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Nick Quaranto on 04 Aug, 2012 06:49 PM
Sorry, this comment was buried in our spam inbox. And WOW from 2010! Very buried under tons of Russian spam.
gem installcan't run any code on the users' system after install. You have to specifically invoke code within it from another ruby process. In general, yes, typos are a problem, but we haven't seen anything yet. Thanks for bringing this up though.Nick Quaranto closed this discussion on 04 Aug, 2012 06:49 PM.