[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

SecurityError in Ruby 1.8.4

Javier Goizueta

5/2/2006 2:57:00 PM

The next code raises a "Insecure operations" SecurityError under Ruby
1.8.4 (but not in 1.8.2):

require 'yaml'
require 'rubygems'
require_gem 'rake' # require any gem
$SAFE=1
YAML.load "---\n2005-01-05"

I've tested it with i386-mswin32 and i686-linux Ruby, and version
0.8.11 of ruby gems.
Anybody have an idea of what's happening? may it be a bug in Ruby
1.8.4?

--Javier Goizueta
2 Answers

ts

5/2/2006 3:27:00 PM

0

>>>>> "j" == jgoizueta <jgoizueta@wanadoo.es> writes:

Add this line

j> require 'yaml'
j> require 'rubygems'
j> require_gem 'rake' # require any gem
j> $SAFE=1

p $LOAD_PATH.select {|x| x.tainted? }

j> YAML.load "---\n2005-01-05"

j> Anybody have an idea of what's happening? may it be a bug in Ruby
j> 1.8.4?

ruby will not try to load a file if one component of $LOAD_PATH is
tainted.


--

Guy Decoux

Javier Goizueta

5/2/2006 5:25:00 PM

0

Oh, I see... the path strings introduced by ruby gems are tainted... so
I guess that we must make sure that all files to be required are loaded
before the $SAFE level is set if gems are used.
That seems like a real problem to me for modules that dynamically load
other modules... Anyway, this information allowed me to find a
workaround for the program where this problem has emerged, thank you
Guy!
--Javier Goizueta