So, if I put a form on a website that executes whatever code people
put into it with $SAFE=4, would this be safe?
No, it wouldn’t work (IIRC). $SAFE=4 here would not allow the code to be
executed at all. It’s ‘safe’ in that way.
Chris
I just managed to make a program that reads a line from standard input
and eval’s it under $SAFE=4. It seems to allow the code to be
executed. I do have to put “$SAFE=4” in a separate Thread, or else I
can’t break out of safe mode (apparently, setting $SAFE will persist
forever, rather than just for the life of the block).
[shoujoai@lina safe]$ cat myeval.rb
def safeEval(expr)
result = nil
Thread::start {
$SAFE = 4
result = eval expr
}.join
result
end
loop {
print ‘Enter expression: ’
expr = gets
break if !expr
puts safeEval(expr)
}
[shoujoai@lina safe]$ ruby myeval.rb
Enter expression: 1+1
2
Enter expression: puts ‘Hello, world!’
myeval.rb:5:in safeEval': (eval):1:in write’: Insecure operation
write' at level 4 (SecurityError) from myeval.rb:3:in join’
from myeval.rb:3:in safeEval' from myeval.rb:14 from myeval.rb:11:in loop’
from myeval.rb:11
···
On Wed, Jun 05, 2002 at 05:19:30AM +0900, Morris, Chris wrote:
So, if I put a form on a website that executes whatever code people
put into it with $SAFE=4, would this be safe?No, it wouldn’t work (IIRC). $SAFE=4 here would not allow the code to be
executed at all. It’s ‘safe’ in that way.