Ruby vulnerability in the safe level settings

Discussion in 'Ruby' started by Ben Gribaudo, Oct 7, 2005.

  1. Ben Gribaudo

    Ben Gribaudo Guest

    Hi,

    In regards to the recent safe level setting vulnerability
    (http://ruby-lang.org/en/20051003.html -- Objects can get around Ruby
    safe level restrictions): If I trust all of the code being run and don't
    eval any user input, am I uneffected by this problem (meaning that I
    don't need to rush to upgrade to 1.8.3)?

    Thanks,
    Ben
     
    Ben Gribaudo, Oct 7, 2005
    #1
    1. Advertisements

  2. Ben Gribaudo

    ts Guest

    B> In regards to the recent safe level setting vulnerability
    B> (http://ruby-lang.org/en/20051003.html -- Objects can get around Ruby
    B> safe level restrictions): If I trust all of the code being run and don't
    B> eval any user input, am I uneffected by this problem (meaning that I
    B> don't need to rush to upgrade to 1.8.3)?

    If you know how ruby work, you are not affected.

    If you don't know, first learn ruby.

    The example, for this pseudo-vulnerability, was given by matz in
    [ruby-core:5927].

    http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5927

    This example was given many times in ruby-talk, to warn you if you want
    to use $SAFE = 4. Apparently some security team don't read ruby-talk.

    Sorry,



    Guy Decoux
     
    ts, Oct 7, 2005
    #2
    1. Advertisements

  3. Hi,

    In message "Re: Ruby vulnerability in the safe level settings"

    |If I trust all of the code being run and don't
    |eval any user input, am I uneffected by this problem (meaning that I
    |don't need to rush to upgrade to 1.8.3)?

    If I trust what you wrote, yes. ;-)

    matz.
     
    Yukihiro Matsumoto, Oct 7, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.