From ce6ab75842178d300e1c9b47b9f54afbf65da185 Mon Sep 17 00:00:00 2001
From: Peter Huene <peter.huene@puppetlabs.com>
Date: Tue, 6 May 2014 14:33:11 -0700
Subject: [PATCH] (FACT-480) Remove current directory from Ruby load path.

The current directory ('.') is on the load path for Ruby 1.8.7.
This is a security vulnerability as it allows arbitrary code loading if
users create ruby source files with names that correspond to those that
facter is trying to load.

The fix is to explicitly remove '.' from the load path before any code
is loaded by facter.
---
 bin/facter | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bin/facter b/bin/facter
index 0616157..7aec067 100755
--- a/bin/facter
+++ b/bin/facter
@@ -55,6 +55,10 @@
 # Copyright (c) 2011 Puppet Labs, Inc
 # Licensed under the Apache 2.0 license

+# For security reasons, ensure that '.' is not on the load path
+# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
+$LOAD_PATH.delete '.'
+
 # Bundler and rubygems maintain a set of directories from which to
 # load gems. If Bundler is loaded, let it determine what can be
 # loaded. If it's not loaded, then use rubygems. But do this before


-- 
2.1.2