How safe is $SAFE=4?


(Morris, Chris) #1

So, if I put a form on a website that executes whatever code people
put into it with $SAFE=4, would this be safe?

No, it wouldn’t work (IIRC). $SAFE=4 here would not allow the code to be
executed at all. It’s ‘safe’ in that way.

Chris


(Philip Mak) #2

I just managed to make a program that reads a line from standard input
and eval’s it under $SAFE=4. It seems to allow the code to be
executed. I do have to put “$SAFE=4” in a separate Thread, or else I
can’t break out of safe mode (apparently, setting $SAFE will persist
forever, rather than just for the life of the block).

[shoujoai@lina safe]$ cat myeval.rb
def safeEval(expr)
result = nil
Thread::start {
$SAFE = 4
result = eval expr
}.join
result
end

loop {
print 'Enter expression: '
expr = gets
break if !expr
puts safeEval(expr)
}
[shoujoai@lina safe]$ ruby myeval.rb
Enter expression: 1+1
2
Enter expression: puts 'Hello, world!‘
myeval.rb:5:in safeEval': (eval):1:inwrite’: Insecure operation
write' at level 4 (SecurityError) from myeval.rb:3:injoin’
from myeval.rb:3:in safeEval' from myeval.rb:14 from myeval.rb:11:inloop’
from myeval.rb:11

···

On Wed, Jun 05, 2002 at 05:19:30AM +0900, Morris, Chris wrote:

So, if I put a form on a website that executes whatever code people
put into it with $SAFE=4, would this be safe?

No, it wouldn’t work (IIRC). $SAFE=4 here would not allow the code to be
executed at all. It’s ‘safe’ in that way.