Hi,
In regards to the recent safe level setting vulnerability (http://ruby-lang.org/en/20051003.html -- Objects can get around Ruby safe level restrictions): If I trust all of the code being run and don't eval any user input, am I uneffected by this problem (meaning that I don't need to rush to upgrade to 1.8.3)?
Thanks,
Ben
In regards to the recent safe level setting vulnerability
(http://ruby-lang.org/en/20051003.html -- Objects can get around Ruby
safe level restrictions): If I trust all of the code being run and don't
eval any user input, am I uneffected by this problem (meaning that I
don't need to rush to upgrade to 1.8.3)?
If you know how ruby work, you are not affected.
If you don't know, first learn ruby.
The example, for this pseudo-vulnerability, was given by matz in
[ruby-core:5927].
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5927
This example was given many times in ruby-talk, to warn you if you want
to use $SAFE = 4. Apparently some security team don't read ruby-talk.
Sorry,
Guy Decoux
Hi,
In message "Re: Ruby vulnerability in the safe level settings" on Fri, 7 Oct 2005 23:21:57 +0900, Ben Gribaudo <rubytalk@bengribaudo.com> writes:
If I trust all of the code being run and don't
eval any user input, am I uneffected by this problem (meaning that I
don't need to rush to upgrade to 1.8.3)?
If I trust what you wrote, yes. 
matz.