Skip to content

Commit

Permalink
(PUP-2478) Remove current directory from Ruby load path.
Browse files Browse the repository at this point in the history 
The current directory ('.') is on the load path for Ruby 1.8.7.
This is a security vulnerability as it allows arbitrary code loading if
users create ruby source files with names that correspond to those that
puppet is trying to load.

The fix is to explicitly remove '.' from the load path before any code
is loaded by puppet.
  • Loading branch information
Peter Huene authored and Moses Mendoza committed May 30, 2014
1 parent 0531614 commit 4b5586b
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions bin/puppet
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
#!/usr/bin/env ruby

# For security reasons, ensure that '.' is not on the load path
# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
$LOAD_PATH.delete '.'

require 'puppet/util/command_line'
Puppet::Util::CommandLine.new.execute

0 comments on commit 4b5586b

Please sign in to comment.