#934 Insecure mongrel_rails invocation, unable to use "system" mongrel - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#934 ✓wontfix

Insecure mongrel_rails invocation, unable to use "system" mongrel

Reported by Alexey I. Froloff | August 29th, 2008 @ 05:25 PM | in 2.x

This patch fixes two issues:

Using backticks is insecure, use Process::exec method in multiple argument form when "-d" option given.

load("mongrel_rails") fails if mongrel is not installed from gem, try CONFIG['bindir'] if at first we don't succeed.

josh November 22nd, 2008 @ 06:25 PM
- State changed from “new” to “wontfix”
the script/server will soon be replaced by a rackup command that won't use any system calls.

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>