diff options
author | TADA Tadashi <t@tdtds.jp> | 2015-01-22 16:53:43 +0900 |
---|---|---|
committer | TADA Tadashi <t@tdtds.jp> | 2015-01-22 16:53:43 +0900 |
commit | cf581d2709b307e00034a7d7cd017b80b1daddc1 (patch) | |
tree | 652f595320beb75a63b24ab9c694a3c55066fbd6 | |
parent | 6a6c0cf95852e78bdfe1bd11ee72672ca31e71d0 (diff) | |
download | bundler-cf581d2709b307e00034a7d7cd017b80b1daddc1.tar.gz |
untaint gem path loaded from github
require fails because security error, in condition of:
* $SAFE is 1
* gems from git or github. ex: gem 'bar', :github => 'foo/bar'
original full_gem_path method in rubygems is untaint all paths of gems (in find_full_gem_path method), but Bundler override the method without untaint.
-rw-r--r-- | lib/bundler/rubygems_ext.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/bundler/rubygems_ext.rb b/lib/bundler/rubygems_ext.rb index 3451f5a1ad..5d7177415d 100644 --- a/lib/bundler/rubygems_ext.rb +++ b/lib/bundler/rubygems_ext.rb @@ -23,7 +23,7 @@ module Gem def full_gem_path source.respond_to?(:path) ? - Pathname.new(loaded_from).dirname.expand_path(Bundler.root).to_s : + Pathname.new(loaded_from).dirname.expand_path(Bundler.root).to_s.untaint : rg_full_gem_path end |