Issue #6955 has been reported by Jacek Masiulaniec.
----------------------------------------
Bug #6955: Risk of malicious code execution
https://projects.puppetlabs.com/issues/6955
Author: Jacek Masiulaniec
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Keywords:
Branch:
Fact search path includes current working directory:
[jacekm@localhost ~]$ ls facter
ls: facter: No such file or directory
[jacekm@localhost ~]$ facter >/dev/null
[jacekm@localhost ~]$ mkdir facter
[jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb
[jacekm@localhost ~]$ facter >/dev/null
evil code
[jacekm@localhost ~]$
This is harmful in multi-user environments: starting facter in specially
crafted directory can result in malicious code execution.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
