Augh. It worked in the testbed.
Try this variation:
Couldn't quite get anything to execute in this version (I actually
solved my own hack yesterday after posting - by adding remove_method
:class just before you include Safe).
But that just means I couldn't hack it, not that it's not breakable.
All that said, I can always be annoying if I wish - watch your machines
memory and cpu when fed this:
str = "x = ; 0.upto(1.0/0) { x << Class.new }"
Hope this thread managed to convince you that running code received from
users (or otherwise untrusted) is always a Bad Thing(tm).