Issue #6955 has been updated by Jeff Weiss.
Looking at this and thinking that perhaps instead of excluding `.` and anything beginning with `..` (my first thought), but rather excluding anything that isn't explicitly an absolute directory. We'll need to make certain that we don't screw up windows when we do that. ---------------------------------------- Bug #6955: Risk of malicious code execution https://projects.puppetlabs.com/issues/6955#change-62636 Author: Jacek Masiulaniec Status: Accepted Priority: Urgent Assignee: Hailee Kenney Category: library Target version: 2.0.0 Keywords: Branch: Affected Facter version: Fact search path includes current working directory: [jacekm@localhost ~]$ ls facter ls: facter: No such file or directory [jacekm@localhost ~]$ facter >/dev/null [jacekm@localhost ~]$ mkdir facter [jacekm@localhost ~]$ echo 'STDERR.puts "evil code"' > facter/evil.rb [jacekm@localhost ~]$ facter >/dev/null evil code [jacekm@localhost ~]$ This is harmful in multi-user environments: starting facter in specially crafted directory can result in malicious code execution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
