Eric Hodel wrote:
Eric Hodel wrote:
Well I'm mailing about a problem I'm having while using the rails
framework, since it does seem to be a ruby problem I thought I
might as well post hereI have a security level problem, for unknown reasons it switches
from level 0 to level 4 and then provoke some error related to the
security level...$SAFE is switched when you assign to it, never at any other time.
Is it so? Consider the following code:
Test.new.method(:show_safe).taint.call
It produces:
:!ruby safe.rb
1.8.4
i686-linux
0
safe.rb:5:in `write': Insecure operation `write' at level 4
(SecurityError) from safe.rb:5:in `show_safe'
from safe.rb:12Interesting.
You are right. From method_call:
if (OBJ_TAINTED(method)) {
safe = NOEX_WITH(data->safe_level, 4)|NOEX_TAINTED; }
Yes, I got the idea for the example from looking at this particular spot
;-). Interesting, that if your current $SAFE level is 1, such method
invocation switches it to 5.
$SAFE is only changed for the method invocation, it does not leak
into the surrounding process. puts $SAFE afterward shows the
original safe level.
You are absolutely right. However, what if a method invoked in such a
way is a starting point for your entire subsystem? 
I wonder, what is the reason for such a behavior? I am sure there's a
very good one.
Gennady.
ยทยทยท
On Jan 9, 2007, at 10:40, Gennady Bystritsky wrote:
On Jan 8, 2007, at 22:29, Tom wrote: