chruby v0.3.5 Release Notes
Release Date: 2013-05-29 // almost 11 years ago-
- โ Added a RPM spec.
- Respect
PREFIX
when auto-detecting/opt/rubies/*
. - ๐ Do not set
GEM_ROOT
if rubygems is not installed (Charlie Somerville). - ๐
chruby_use
now echos the select ruby and the version, only if the shell is in interactive mode (Brian D. Burns). - ๐
chruby_reset
no longer accidentally removes/bin
ifGEM_HOME
orGEM_ROOT
are empty (David Grayson). - ๐
chruby
now selects the last lexical match for the given ruby.
auto.sh
- Ensure that auto-switching works in non-interactive mode:
- zsh: use
preexec_functions
which runs in both interactive and non-interactive sessions. - bash: use
trap DEBUG
which runs before every command, in both interactive and non-interactive mode.PROMPT_COMMAND
only runs in interactive mode.
- zsh: use
- ๐ Fixed a serious design flaw, where
chruby_auto
passed the contents of.ruby-version
as multiple arguments to thechruby
function. Originally, this allowed for.ruby-version
files to specify additionalRUBYOPT
options (ex:jruby --1.8
). However, an attacker could craft a malicious.ruby-version
file that would require arbitrary code (ex:1.9.3 -r./evil.rb
). The./evil.rb
file would then be required whenruby
is invoked bychruby_use
in order to determineRUBY_ENGINE
,RUBY_VERSION
,GEM_ROOT
.
In order to prevent the abuse of this feature,
chruby_auto
now passes the entire contents of.ruby-version
as a first and only argument to thechruby
function.If you have
auto.sh
enabled, it is recommended that you upgrade. If you cannot upgrade, consider disablingauto.sh
. If you want to scan your entire system for malicious.ruby-version
files:find / -name .ruby-version 2>/dev/null | xargs -i{} grep -H " " {}
Thanks to David Grayson for reporting this flaw.
scripts/setup.sh
- Do not assume bash is installed at
/bin/bash
(Shannon Skipper).