Issue #6955 has been updated by Josh Cooper.

The root cause of this problem is that ruby 1.8.x - 1.9.1 includes the current 
working directory in the $LOAD_PATH ($:). This behavior was changed in [ruby 
1.9.2](http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_0/NEWS):

<pre>
$: no longer includes the current directory, use require_relative
</pre>

Facter does not use require to load facts, instead it looks in the facter 
directory relative to every directory in the LOAD_PATH, and calls Kernel.load 
on every *.rb file. And since "." is in the LOAD_PATH, we get this behavior. 
Assuming \<somedir\>/facter/lib is in the LOAD_PATH, then it should be safe to 
exclude the current working directory during fact loading.

Interestingly, puppet's autoloader would have a similar problem when generating 
its list of module directories, except that it rejects directories in the 
LOAD_PATH that start with ".". Though this change was made due to #2574, when 
calling Dir.entries returns . and ..

<pre>
Thread.current[:env_module_directories][real_env] ||= 
real_env.modulepath.collect do |dir|
  Dir.entries(dir).reject { |f| f =~ /^\./ }.collect { |f| File.join(dir, f) }
end.flatten.collect { |d| [File.join(d, "plugins"), File.join(d, "lib")] 
}.flatten.find_all do |d|
  FileTest.directory?(d)
end
</pre>


----------------------------------------
Bug #6955: Risk of malicious code execution
https://projects.puppetlabs.com/issues/6955

Author: Jacek Masiulaniec
Status: Accepted
Priority: Urgent
Assignee: 
Category: 
Target version: 
Keywords: 
Branch: 
Affected Facter version: 


Fact search path includes current working directory:

    [jacekm@localhost ~]$ ls facter
    ls: facter: No such file or directory
    [jacekm@localhost ~]$ facter >/dev/null
    [jacekm@localhost ~]$ mkdir facter
    [jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb
    [jacekm@localhost ~]$ facter >/dev/null
    evil code
    [jacekm@localhost ~]$ 

This is harmful in multi-user environments: starting facter in specially 
crafted directory can result in malicious code execution.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to