M
Minero Aoki
Hi all,
This is a summary of ruby-dev ML in these days.
[ruby-dev:26100] FileUtils.rm_rf security problem (contd.)
TANAKA Akira reported local vulnerability of FileUtils.rm_r.
This problem is known as TOCTTOU (time-of-check-to-time-of-use)
problem. For details of this vulnerability, see following cases:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
Minero Aoki, the maintainer of fileutils.rb, implemented several
versions of rm_r but they are still incomplete.
This issue is still open.
[ruby-dev:26128] ruby needs two Ctrl-C for termination
Tanaka Akira reported that ruby does not exit on single Ctrl-C
with following program:
trapINT, "EXIT")
Thread.start { Thread.pass }
STDIN.sysread(4096)
This issue is still open.
[ruby-dev:26132] Hash#hash on 1.9
H.Yamamoto reported that Hash#hash returns different hash value
for same hash tables:
% ruby -e '
h = {1=>nil, 2=>nil, []=>nil, {}=>nil, 5=>nil}
p h.hash
p h.clone.hash
'
3640
10552
Matz resolved this problem by removing custom Hash#hash and Hash#eql?.
[ruby-dev:26156] ruby 1.8.3 preview1
Matz released ruby 1.8.3 preview1.
Here is a list of known bugs. This list includes additional items.
[ruby-dev:24243] Re: private load and Module.nesting
[ruby-dev:26010] rb_attr_get may warn
[ruby-dev:26100] FileUtils.rm_rf security problem
[ruby-dev:26128] ruby needs two ^C for termination
[ruby-core:4622] tempfile.rb
[ruby-core:4326] RDoc parse_c.rb for C ext libs consisting of many *.c files
[ruby-core:4328] Re: RDoc parse_c.rb for C ext libs consisting of many *.c files
[ruby-core:4302] [PATCH] RDoc parse_rb.rb: Logic for def Builtin.method() end
[ruby-core:4572] [PATCH] RDoc - :nodoc: and macro in C
[ruby-core:4869] [BUG] Infinite loop on YAML.dump (Re: ruby-list:40801)
Masahiro Tomita claimed that ruby should not warn when loading
getopts, with $VERBOSE=false. Matz agreed with him. In addition,
WATANABE Hirofumi said that optparse.rb is too diffucult to use,
he recommended to bandle ropt instead. For details of ropt, refer
RAA:
http://raa.ruby-lang.org/project/ropt/
[ruby-dev:26180] glob without String
Nobuyoshi Nakada posted a patch which allows rb_glob() call
before ruby_init(). This patch was incorporated.
-- Minero Aoki
ruby-dev summary index:
http://i.loveruby.net/en/ruby-dev-summary.html
This is a summary of ruby-dev ML in these days.
[ruby-dev:26100] FileUtils.rm_rf security problem (contd.)
TANAKA Akira reported local vulnerability of FileUtils.rm_r.
This problem is known as TOCTTOU (time-of-check-to-time-of-use)
problem. For details of this vulnerability, see following cases:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
Minero Aoki, the maintainer of fileutils.rb, implemented several
versions of rm_r but they are still incomplete.
This issue is still open.
[ruby-dev:26128] ruby needs two Ctrl-C for termination
Tanaka Akira reported that ruby does not exit on single Ctrl-C
with following program:
trapINT, "EXIT")
Thread.start { Thread.pass }
STDIN.sysread(4096)
This issue is still open.
[ruby-dev:26132] Hash#hash on 1.9
H.Yamamoto reported that Hash#hash returns different hash value
for same hash tables:
% ruby -e '
h = {1=>nil, 2=>nil, []=>nil, {}=>nil, 5=>nil}
p h.hash
p h.clone.hash
'
3640
10552
Matz resolved this problem by removing custom Hash#hash and Hash#eql?.
[ruby-dev:26156] ruby 1.8.3 preview1
Matz released ruby 1.8.3 preview1.
Here is a list of known bugs. This list includes additional items.
[ruby-dev:24243] Re: private load and Module.nesting
[ruby-dev:26010] rb_attr_get may warn
[ruby-dev:26100] FileUtils.rm_rf security problem
[ruby-dev:26128] ruby needs two ^C for termination
[ruby-core:4622] tempfile.rb
[ruby-core:4326] RDoc parse_c.rb for C ext libs consisting of many *.c files
[ruby-core:4328] Re: RDoc parse_c.rb for C ext libs consisting of many *.c files
[ruby-core:4302] [PATCH] RDoc parse_rb.rb: Logic for def Builtin.method() end
[ruby-core:4572] [PATCH] RDoc - :nodoc: and macro in C
[ruby-core:4869] [BUG] Infinite loop on YAML.dump (Re: ruby-list:40801)
Masahiro Tomita claimed that ruby should not warn when loading
getopts, with $VERBOSE=false. Matz agreed with him. In addition,
WATANABE Hirofumi said that optparse.rb is too diffucult to use,
he recommended to bandle ropt instead. For details of ropt, refer
RAA:
http://raa.ruby-lang.org/project/ropt/
[ruby-dev:26180] glob without String
Nobuyoshi Nakada posted a patch which allows rb_glob() call
before ruby_init(). This patch was incorporated.
-- Minero Aoki
ruby-dev summary index:
http://i.loveruby.net/en/ruby-dev-summary.html