Easy for $SAFE <= 3:
$ cat desafe.rb
inline do |builder|
builder.prefix "RUBY_EXTERN int ruby_safe_level;"
ruby_safe_level = 0;
$SAFE = ARGV.shift.to_i rescue 0
$ rm -fr ~/.ruby_inline/; ruby desafe.rb 4
desafe.rb:20:in `write': Insecure operation `write' at level 4 (SecurityError)
from desafe.rb:20:in `p'
$ rm -fr ~/.ruby_inline/; ruby desafe.rb 3
On Aug 30, 2006, at 1:24 PM, snacktime wrote:
On 8/30/06, Ken Bloom <email@example.com> wrote:
snacktime <firstname.lastname@example.org> wrote:
> There really isn't anything you can do to make this safe. Even $SAFE
> itself can be set to a different value from the usercode.
No, it can't. At lower levels it throws a SecurityError saying it
can't downgrade the safe level. At higher levels, it throws a
SecurityError saying it can't "can't chage global variable value"
(i.e. the rules of Level 4 inherently prevent you from changing the
Ya you are correct, it won't let you change the safe level. I wonder
how hard it would be to bypass it though using something like
Eric Hodel - email@example.com - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant