ruby-dev summary 23763-23840

[Minero Aoki]

Hi all,

This is a summary of ruby-dev ML in these days.

[ruby-dev:23762] Ruby 1.8.2 to be released

Kouhei Sutou requested to import his RSS Parser library into 1.8 branch,
and Matz agreed with him.

[ruby-dev:23784] URI()

TANAKA Akira proposed a new global method URI(), to construct an URI
object. With this method, you can write HTTP GET program as below:

print URI("http://www.example.com/").read

This program is better than `open("http://....").read' because it
properly closes IO objects.

Here are some opinions: (+ : approval, - : objection)

+ There are similar methods such as Integer(), String(), etc.
+ URI is a name, literal-like syntax seems good.
- URI.[] is better because URI() pollutes the global name space.
- String(obj) calls obj.to_s. Integer(obj) calls obj.to_i.
But URI(obj) does not call obj.to_uri.
(Note that Complex(obj) does not call obj.to_complex, too.)
- A method name which begins with a capital looks bad.

This issue is still open.

[ruby-dev:23814] $SAFE in Proc
[ruby-dev:23815] set_trace_func in safe mode

Nobuyoshi Nakada posted two security considerations.

1. $SAFE=4 program can safely call a Proc object which is created
by $SAFE=0, and it runs in $SAFE=0. It causes `$SAFE downgrading'.

-> Matz said that it is not a problem because Proc objects which
are created in $SAFE=0 environment should be trustable.
In other words, you should not load untrustable code in $SAFE<4.

2. set_trace_func should be prohibited in $SAFE>0.

-> Matz stated that $SAFE>3 check is enough,
because we are trusting $SAFE<=3 codes.


-- Minero Aoki

ruby-dev summary index:
http://i.loveruby.net/en/ruby-dev-summary.html

 

[Ara.T.Howard]

[ruby-dev:23784] URI()

TANAKA Akira proposed a new global method URI(), to construct an URI
object. With this method, you can write HTTP GET program as below:

print URI("http://www.example.com/").read

This program is better than `open("http://....").read' because it
properly closes IO objects.

Here are some opinions: (+ : approval, - : objection)

+ There are similar methods such as Integer(), String(), etc.
+ URI is a name, literal-like syntax seems good.
- URI.[] is better because URI() pollutes the global name space.
- String(obj) calls obj.to_s. Integer(obj) calls obj.to_i.
But URI(obj) does not call obj.to_uri.
(Note that Complex(obj) does not call obj.to_complex, too.)
- A method name which begins with a capital looks bad.

This issue is still open.

why not

URI::read :

def URI.read uri
begin
u = parse "#{ uri }"
u.read
ensure
u.close
end
end

+ like IO::read, YAML::load, etc.
+ no name space pollution
+ only requires ducktype string like parse

-a
--
===============================================================================
| EMAIL :: Ara [dot] T [dot] Howard [at] noaa [dot] gov
| PHONE :: 303.497.6469
| A flower falls, even though we love it;
| and a weed grows, even though we do not love it.
| --Dogen
===============================================================================

 

[Ben Giddings]

[ruby-dev:23784] URI()

TANAKA Akira proposed a new global method URI(), to construct an URI
object. With this method, you can write HTTP GET program as below:

print URI("http://www.example.com/").read

This program is better than `open("http://....").read' because it
properly closes IO objects.

Here are some opinions: (+ : approval, - : objection)

+ There are similar methods such as Integer(), String(), etc.
+ URI is a name, literal-like syntax seems good.
- URI.[] is better because URI() pollutes the global name space.
- String(obj) calls obj.to_s. Integer(obj) calls obj.to_i.
But URI(obj) does not call obj.to_uri.
(Note that Complex(obj) does not call obj.to_complex, too.)
- A method name which begins with a capital looks bad.

I like the idea of a simple way to deal with URIs, but I agree with all
the objections this idea.

Is there some reason it couldn't be a factory method of a URI class,
making the example like:

URI.create("http://www.example.com").read

The factory method, 'create' could return URI type objects, customized
for that particular URI.

For a local file:

irb> URI.create("file:///path/to/local/file.txt")
=> #<File:/path/to/local/file.txt>

For a HTTP connection it would return a HTTP object, for gopher a Gopher
object, etc.

Sure, it's an extra 6 keystrokes (one for the dot, 5 for create) but it
seems to satisfy the objections. Maybe someone has a better option for
the factory method name?

Ben

 

[Yukihiro Matsumoto]

Hi,

In message "Re: ruby-dev summary 23763-23840"

|Is there some reason it couldn't be a factory method of a URI class,
|making the example like:
|
|URI.create("http://www.example.com").read

We already have a factory method, "parse", that is shorter than
"create". We were talking about saving a few strokes.

matz.

 

[gabriele renzi]

il Fri, 2 Jul 2004 20:08:42 +0900, Minero Aoki <[email protected]>
ha scritto::


Why not override IO.read ?
And if short typing is the issue, what is the short alternative to
IO.read?

 

[Paul Brannan]

[ruby-dev:23814] $SAFE in Proc
[ruby-dev:23815] set_trace_func in safe mode

Nobuyoshi Nakada posted two security considerations.

1. $SAFE=4 program can safely call a Proc object which is created
by $SAFE=0, and it runs in $SAFE=0. It causes `$SAFE downgrading'.

-> Matz said that it is not a problem because Proc objects which
are created in $SAFE=0 environment should be trustable.
In other words, you should not load untrustable code in $SAFE<4.

2. set_trace_func should be prohibited in $SAFE>0.

-> Matz stated that $SAFE>3 check is enough,
because we are trusting $SAFE<=3 codes.

I'm not sure I agree. I don't think it should ever be possible to
downgrade your $SAFE level without help from a thread that already has
its $SAFE level downgraded, but it is:

# "safe" thread
t = Thread.new do
Thread.current.abort_on_exception = true
$SAFE = 1
set_trace_func proc { |x|
b = x[4]
safe = eval("$SAFE", b)
if safe == 0 then
# now we have a binding with $SAFE=0 and we can effectively
# bypass $SAFE
puts "got a binding with $SAFE=0!"
set_trace_func nil
end
}
sleep
end

# main thread
sleep 1

I'd have to be malicious to write code like this, and potentially
malicious code shouldn't be executed in $SAFE=1, but if explicitly
setting $SAFE is disallowed, then so should the above code. Is there a
practical use calling set_trace_func when $SAFE=1?

Paul

 

[Tanaka Akira]

Why not override IO.read ?

Sometimes IO.read is used as File.read. I feel File.xxx means an
operation for a local file.

Since redefining IO.read violates the meaning, I don't want to do it.

 

[Tanaka Akira]

why not

URI::read :

Because URI() can be used with other instance methods on URI.

 

[Yukihiro Matsumoto]

Hi,

In message "Re: ruby-dev summary 23763-23840"

|> 2. set_trace_func should be prohibited in $SAFE>0.
|>
|> -> Matz stated that $SAFE>3 check is enough,
|> because we are trusting $SAFE<=3 codes.
|
|I'm not sure I agree. I don't think it should ever be possible to
|downgrade your $SAFE level without help from a thread that already has
|its $SAFE level downgraded, but it is:

<snip>

|I'd have to be malicious to write code like this, and potentially
|malicious code shouldn't be executed in $SAFE=1, but if explicitly
|setting $SAFE is disallowed, then so should the above code.

Define "malicious" before saying "shouldn't". ;-)

|Is there a practical use calling set_trace_func when $SAFE=1?

For exmaple, running a debugger on -T1 program.

matz.

 

[Paul Brannan]

|I'd have to be malicious to write code like this, and potentially
|malicious code shouldn't be executed in $SAFE=1, but if explicitly
|setting $SAFE is disallowed, then so should the above code.

Define "malicious" before saying "shouldn't". ;-)

I guess I meant "potentially malicious" as a synonym for "untrusted".

|Is there a practical use calling set_trace_func when $SAFE=1?

For exmaple, running a debugger on -T1 program.

Shouldn't this be possible anyway, since -rdebug has to be specified
before -T1 on the command line (and thus the debugger will be started
before $SAFE is set)?

Paul

 

[Yukihiro Matsumoto]

Hi,

In message "Re: ruby-dev summary 23763-23840"

|> For exmaple, running a debugger on -T1 program.
|
|Shouldn't this be possible anyway, since -rdebug has to be specified
|before -T1 on the command line (and thus the debugger will be started
|before $SAFE is set)?

There's no way to turn off $SAFE in mod_ruby programs, for example.
Should they abandon tracing?

matz.

 

[Martin DeMello]

+ There are similar methods such as Integer(), String(), etc.
- URI.[] is better because URI() pollutes the global name space.
- String(obj) calls obj.to_s. Integer(obj) calls obj.to_i.
But URI(obj) does not call obj.to_uri.
(Note that Complex(obj) does not call obj.to_complex, too.)
- A method name which begins with a capital looks bad.

I like the idea of Class() being used as a constructor - it's a neat,
readable idiom. I don't really see this as namespace pollution, since
the class and the method are in some sense logically bound together;
similarly the fact that this is a special case makes the capital
acceptabe.

martin

 

[Paul Brannan]

There's no way to turn off $SAFE in mod_ruby programs, for example.
Should they abandon tracing?

I suppose before I can answer that I would need to know why mod_ruby
sets $SAFE to 1.

Paul