Ruby vulnerability in the safe level settings

[Ben Gribaudo]

Hi,

In regards to the recent safe level setting vulnerability
(http://ruby-lang.org/en/20051003.html -- Objects can get around Ruby
safe level restrictions): If I trust all of the code being run and don't
eval any user input, am I uneffected by this problem (meaning that I
don't need to rush to upgrade to 1.8.3)?

Thanks,
Ben

 

[ts]

B> In regards to the recent safe level setting vulnerability
B> (http://ruby-lang.org/en/20051003.html -- Objects can get around Ruby
B> safe level restrictions): If I trust all of the code being run and don't
B> eval any user input, am I uneffected by this problem (meaning that I
B> don't need to rush to upgrade to 1.8.3)?

If you know how ruby work, you are not affected.

If you don't know, first learn ruby.

The example, for this pseudo-vulnerability, was given by matz in
[ruby-core:5927].

http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5927

This example was given many times in ruby-talk, to warn you if you want
to use $SAFE = 4. Apparently some security team don't read ruby-talk.

Sorry,



Guy Decoux

 

[Yukihiro Matsumoto]

Hi,

In message "Re: Ruby vulnerability in the safe level settings"

|If I trust all of the code being run and don't
|eval any user input, am I uneffected by this problem (meaning that I
|don't need to rush to upgrade to 1.8.3)?

If I trust what you wrote, yes. ;-)

matz.