ยซ Changelog History


chruby v0.3.5 Release Notes

Release Date: 2013-05-29 // almost 11 years ago
    • โž• Added a RPM spec.
    • Respect PREFIX when auto-detecting /opt/rubies/*.
    • ๐Ÿ’Ž Do not set GEM_ROOT if rubygems is not installed (Charlie Somerville).
    • ๐Ÿ’Ž chruby_use now echos the select ruby and the version, only if the shell is in interactive mode (Brian D. Burns).
    • ๐Ÿšš chruby_reset no longer accidentally removes /bin if GEM_HOME or GEM_ROOT are empty (David Grayson).
    • ๐Ÿ’Ž chruby now selects the last lexical match for the given ruby.

    auto.sh

    • Ensure that auto-switching works in non-interactive mode:
      • zsh: use preexec_functions which runs in both interactive and non-interactive sessions.
      • bash: use trap DEBUG which runs before every command, in both interactive and non-interactive mode. PROMPT_COMMAND only runs in interactive mode.
    • ๐Ÿ›  Fixed a serious design flaw, where chruby_auto passed the contents of .ruby-version as multiple arguments to the chruby function. Originally, this allowed for .ruby-version files to specify additional RUBYOPT options (ex: jruby --1.8). However, an attacker could craft a malicious .ruby-version file that would require arbitrary code (ex: 1.9.3 -r./evil.rb). The ./evil.rb file would then be required when ruby is invoked by chruby_use in order to determine RUBY_ENGINE, RUBY_VERSION, GEM_ROOT.

    In order to prevent the abuse of this feature, chruby_auto now passes the entire contents of .ruby-version as a first and only argument to the chruby function.

    If you have auto.sh enabled, it is recommended that you upgrade. If you cannot upgrade, consider disabling auto.sh. If you want to scan your entire system for malicious .ruby-version files:

        find / -name .ruby-version 2>/dev/null | xargs -i{} grep -H " " {}

    Thanks to David Grayson for reporting this flaw.

    scripts/setup.sh

    • Do not assume bash is installed at /bin/bash (Shannon Skipper).