Open postmodern opened 1 year ago
It also appears that it's possible to put single quotes in the executable name, which would be useful for escaping quoted values.
Gem::Specification.new do |spec|
spec.name = "test"
spec.version = '0.0.0'
spec.authors = ['test']
spec.email = ["test@example.com"]
spec.summary = %q{Test gem}
spec.description = %q{This is a test gem.}
spec.homepage = "https://github.com/postmodern/test/tree/master/ruby/gem"
spec.license = "MIT"
spec.files = ["test.gemspec", "bin/'escape"]
spec.executables = ["'escape"]
spec.require_paths = ["lib"]
end
Describe the problem as clearly as you can
I believe that there should be additional validations on
Gem::Specification#executables
to not allow executable names that contain spaces. This could potentially lead to command injection in other tools which parse the executable names of gemspecs.Post steps to reproduce the problem
test.gemspec
:Which command did you run?
What were you expecting to happen?
A validation error about the command containing a space.
What actually happened?
Run
gem env
and paste the output below