Issue #6955 has been updated by Nigel Kersten.
Paul Nasrat wrote: > I'm not sure this is urgent, and a desperate fix may well break things in > current environments. This has been true for all releases of facter afaik. > Changing it quickly may also break development. I disagree. It is urgent that we work out how we're going to address this, even if we discover that we need to save the actual implementation for 1.6.0 or some other release where it's more practical to break backwards compability. ---------------------------------------- Bug #6955: Risk of malicious code execution https://projects.puppetlabs.com/issues/6955 Author: Jacek Masiulaniec Status: Accepted Priority: Urgent Assignee: Category: Target version: Keywords: Branch: Fact search path includes current working directory: [jacekm@localhost ~]$ ls facter ls: facter: No such file or directory [jacekm@localhost ~]$ facter >/dev/null [jacekm@localhost ~]$ mkdir facter [jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb [jacekm@localhost ~]$ facter >/dev/null evil code [jacekm@localhost ~]$ This is harmful in multi-user environments: starting facter in specially crafted directory can result in malicious code execution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
