Would’nt make sense to remove $SAFE and introduce a SAFE module ?
This module could contain a getter/setter couple for every restriction
allowed by safe levels plus a convenient Safe.level=(anInteger)
···
il Tue, 4 May 2004 04:14:06 +0900, Guillaume Marcais guslist@free.fr ha scritto::
Is there anyway to have the same restriction that $SAFE=4 would give
except the right to write to already opened IO?
More generally, would it make sense to have a more flexible way to
cherry pick what limitation to impose on a thread? Like:
Safe.flags(:no_filesystem, :no_redefine_core) do
load “untrusted_code.rb”
end
I always thought that $SAFE was rather perlish, and hoped that it could
eventually be gotten rid of. I think a Safe module would be a great way
to get rid of the $SAFE global entirely (eventually).
cheers,
–Mark
···
On May 3, 2004, at 1:08 PM, gabriele renzi wrote:
il Tue, 4 May 2004 04:14:06 +0900, Guillaume Marcais guslist@free.fr > ha scritto::
Is there anyway to have the same restriction that $SAFE=4 would give
except the right to write to already opened IO?
More generally, would it make sense to have a more flexible way to
cherry pick what limitation to impose on a thread? Like:
Would’nt make sense to remove $SAFE and introduce a SAFE module ?
This module could contain a getter/setter couple for every restriction
allowed by safe levels plus a convenient Safe.level=(anInteger)
class Safe
def level(lvl)
th = Thread.new do
$SAFE = lvl.to_i
yield
end
th.join
end
end
Does exactly what you’d expect.
Also, for the original poster’s question: one way around the problem is
to use a setup like the one above, and have the SAFE thread pass the
content to be written out to another, non-SAFE thread which can sanity
check it and then write it to the IO.
If you’re still confused I could dig up some code where I did some
playing around with something like this once.
If wp.binding method is undefined, how do you crack it?
You make the common error to think that #to_s return a String
Hmmm…
Well, under $SAFE==4, I must check that return value of
to_s method is a String and the String object has no
singleton methods. However, I cannto trust all methods
of the object because those methods may be overrided.
It means that I cannot know the class of the object which
passed to the safe-level capsule, doesn’t it?
That is, if I allow that a safe-level capsule proc accesses
an untrust object, I cannot deny to give the right of the
safe-level of the proc to the caller.
Am I right? Or are there any way to avoid security holes?
No need for this, you just need to use a method that you can trust like
String::new
proc{|s| $SAFE=4; wp.call(String.new(s.to_s))}
How foolish I am!
I was mistaken it is a problem that String.new(obj) calls obj.to_str
if obj is not a String.
It is NOT a problem because obj.to_str is called under $SAFE==4.
I need more practice for Ruby programing. :-<
Thank you.