Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > safe eval?

Reply
Thread Tools

safe eval?

 
 
Florian Gross
Guest
Posts: n/a
 
      05-12-2004
ts wrote:

> b = safe('
> class << s = "`mv b.rb x.rb`"
> def call
> end
> end
> a = Object.new
> ObjectSpace.define_finalizer(a, s)
> a
> ')


Heh, I don't actually regard this one as a bug of safe(), but more as
one of Ruby. I'm uncertain if matz agrees, however.

Personally, I have a more complete version of it that adds $SAFE-checks
to a lot of Ruby's built-in methods. (All methods of GC,
ObjectSpace.(define|add)_finalizer, Thread.new / .fork / .start /
..critical=, set_trace_func)

I'm pretty sure that there are more cases like this where $SAFE isn't
checked correctly in Ruby. If anybody wants to point out more of them, I
can try to come up with a way to secure them, but I'm unsure if this is
the best solution and if it will work all the time.

Actually, that's the reason of using a $SAFE-level of 5 and not 4 as one
would probably expect.

Here is the way I secure define_finalizer:

ObjectSpace.module_eval do
class << self
old_finalizer = instance_method(:define_finalizer)
define_method(:_define_finalizer) do |block, *args|
raise(SecurityError, "Penalizing finalizing") if $SAFE > 1
old_finalizer.bind(self).call(*args, &block)
end
def define_finalizer(*args, &block)
_define_finalizer(block, *args)
end

alias :add_finalizer :define_finalizer
end
end

If anybody wants to have the complete version with all the other added
checks, just let me know. I'll do some cleaning up and release the whole
thing in that case.

Regards,
Florian Gross
 
Reply With Quote
 
 
 
 
ts
Guest
Posts: n/a
 
      05-13-2004
>>>>> "F" == Florian Gross <(E-Mail Removed)> writes:

F> Heh, I don't actually regard this one as a bug of safe(), but more as
F> one of Ruby. I'm uncertain if matz agrees, however.

Well, it's not really important for me : I was just able to run code not
expected.

F> Actually, that's the reason of using a $SAFE-level of 5 and not 4 as one
F> would probably expect.

plruby run with $SAFE = 12


Guy Decoux





 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
os.ChDir() not thread-safe; was : Is tempfile.mkdtemp() thread-safe? Gabriel Rossetti Python 0 08-29-2008 08:30 AM
Safe Mode (?) - It is meant to be normal mode but looks like safe mode English Patient Computer Support 3 10-03-2004 11:10 PM
Re: Those cute little "WORK-SAFE" / "NOT WORK-SAFE" tags that people put in the Subject headers of their posts... Soapy Digital Photography 1 08-16-2004 12:07 PM
Re: Those cute little "WORK-SAFE" / "NOT WORK-SAFE" tags that people put in the Subject headers of their posts... Soapy Digital Photography 1 08-16-2004 06:24 AM
$SAFE = 5 and Safe Ruby Misleading? kirindave@lensmen.net Ruby 1 08-11-2003 11:35 PM



Advertisments