M
Masayoshi Takahashi
Hi all,
This is a summary of ruby-dev ML these days.
[ruby-dev:24106] return value of Process.daemon
Now Process.daemon is implemented in Ruby HEAD branch, but
Tanaka Akira, who made the request of this method in
[ruby-dev:24030], suggested that Process.daemon should return
nil, not 0, on the contrary of current implementation.
Matz told his opinion that methods coresponding with
system calls or library functions should return
their return values without any change.
[ruby-dev:24140] CGI::Session has security problem?
Takahiro Kambe introduced Debian Security Advisory DSA 537-1
(http://www.debian.org/security/). The document is about
Vulnerability of insecure file permissions.
Matz answered that Ruby 1.8.2, 1.6.8 on CVS and HEAD are fixed,
but he thought any CGI scripts using CGI::Session should use
umask, because they cannot explicitly define file permissions of
new files created by fopen(3) without umask.
[ruby-dev:24143] problem in execution of external command in here document
Tome reported the problem of external command execution in here document
on mswin32.
#bad
p <<`EOC`
ls.exe
EOC
#good
p `ls.exe`
This problem is because the interpreter tries to execute
"ls.exe\n" without chomp "\n", but Windows shell cannot treat
it.
U.Nakamura promised that he'll add something to handle this
problem.
[ruby-dev:24156] CGI::Session::FileStore should not use Dir::tmpdir
Shugo Maeda pointed out the problem of CGI::Session::FileStore.
The module used Dir::tmpdir as default value of parameter 'tmpdir'.
Suppose Dir::tmpdir is '/tmp', users which have permissions to
login the server can see session file's name, so he can know
session ids without opening session files.
Shugo gave the idea from IRC that increase the length of
session id and put the remains into its file.
Matz showed other solution to use one-way function once more
to convert session id into filename.
Regards,
TAKAHASHI 'Maki' Masayoshi E-mail: (e-mail address removed)
This is a summary of ruby-dev ML these days.
[ruby-dev:24106] return value of Process.daemon
Now Process.daemon is implemented in Ruby HEAD branch, but
Tanaka Akira, who made the request of this method in
[ruby-dev:24030], suggested that Process.daemon should return
nil, not 0, on the contrary of current implementation.
Matz told his opinion that methods coresponding with
system calls or library functions should return
their return values without any change.
[ruby-dev:24140] CGI::Session has security problem?
Takahiro Kambe introduced Debian Security Advisory DSA 537-1
(http://www.debian.org/security/). The document is about
Vulnerability of insecure file permissions.
Matz answered that Ruby 1.8.2, 1.6.8 on CVS and HEAD are fixed,
but he thought any CGI scripts using CGI::Session should use
umask, because they cannot explicitly define file permissions of
new files created by fopen(3) without umask.
[ruby-dev:24143] problem in execution of external command in here document
Tome reported the problem of external command execution in here document
on mswin32.
#bad
p <<`EOC`
ls.exe
EOC
#good
p `ls.exe`
This problem is because the interpreter tries to execute
"ls.exe\n" without chomp "\n", but Windows shell cannot treat
it.
U.Nakamura promised that he'll add something to handle this
problem.
[ruby-dev:24156] CGI::Session::FileStore should not use Dir::tmpdir
Shugo Maeda pointed out the problem of CGI::Session::FileStore.
The module used Dir::tmpdir as default value of parameter 'tmpdir'.
Suppose Dir::tmpdir is '/tmp', users which have permissions to
login the server can see session file's name, so he can know
session ids without opening session files.
Shugo gave the idea from IRC that increase the length of
session id and put the remains into its file.
Matz showed other solution to use one-way function once more
to convert session id into filename.
Regards,
TAKAHASHI 'Maki' Masayoshi E-mail: (e-mail address removed)