Issue #6955 has been updated by Paul Nasrat.
The implementation predates my involvement with the project If it's the automated testing issue see the feature request I raised to add -I and -x to include/exclude paths Issue #4551, that's probably doable for 1.5.x. If anyone ever works on the 2.0 stuff we should break the fact loading path to clear out the crappy structure of lib/facter/util to make the code first class lib/facter citizen and facts from elsewhere. ---------------------------------------- Bug #6955: Risk of malicious code execution https://projects.puppetlabs.com/issues/6955 Author: Jacek Masiulaniec Status: Accepted Priority: Urgent Assignee: Category: Target version: Keywords: Branch: Fact search path includes current working directory: [jacekm@localhost ~]$ ls facter ls: facter: No such file or directory [jacekm@localhost ~]$ facter >/dev/null [jacekm@localhost ~]$ mkdir facter [jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb [jacekm@localhost ~]$ facter >/dev/null evil code [jacekm@localhost ~]$ This is harmful in multi-user environments: starting facter in specially crafted directory can result in malicious code execution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
