Issue #6955 has been updated by Josh Cooper.
The root cause of this problem is that ruby 1.8.x - 1.9.1 includes the current working directory in the $LOAD_PATH ($:). This behavior was changed in [ruby 1.9.2](http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_0/NEWS): <pre> $: no longer includes the current directory, use require_relative </pre> Facter does not use require to load facts, instead it looks in the facter directory relative to every directory in the LOAD_PATH, and calls Kernel.load on every *.rb file. And since "." is in the LOAD_PATH, we get this behavior. Assuming \<somedir\>/facter/lib is in the LOAD_PATH, then it should be safe to exclude the current working directory during fact loading. Interestingly, puppet's autoloader would have a similar problem when generating its list of module directories, except that it rejects directories in the LOAD_PATH that start with ".". Though this change was made due to #2574, when calling Dir.entries returns . and .. <pre> Thread.current[:env_module_directories][real_env] ||= real_env.modulepath.collect do |dir| Dir.entries(dir).reject { |f| f =~ /^\./ }.collect { |f| File.join(dir, f) } end.flatten.collect { |d| [File.join(d, "plugins"), File.join(d, "lib")] }.flatten.find_all do |d| FileTest.directory?(d) end </pre> ---------------------------------------- Bug #6955: Risk of malicious code execution https://projects.puppetlabs.com/issues/6955 Author: Jacek Masiulaniec Status: Accepted Priority: Urgent Assignee: Category: Target version: Keywords: Branch: Affected Facter version: Fact search path includes current working directory: [jacekm@localhost ~]$ ls facter ls: facter: No such file or directory [jacekm@localhost ~]$ facter >/dev/null [jacekm@localhost ~]$ mkdir facter [jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb [jacekm@localhost ~]$ facter >/dev/null evil code [jacekm@localhost ~]$ This is harmful in multi-user environments: starting facter in specially crafted directory can result in malicious code execution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
