kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

* NEWS: add notes for $SAFE.

Browse source 
* doc/security.rd: remove the description of $SAFE=4.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@41290 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
shugo 2013-06-14 00:53:37 +00:00
parent 34f25ffaf4
commit 73a229c3a5
3 changed files with 17 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ChangeLog
View file

@ -1,3 +1,9 @@
Fri Jun 14 09:48:48 2013 Shugo Maeda <shugo@ruby-lang.org>
* NEWS: add notes for $SAFE.
* doc/security.rd: remove the description of $SAFE=4.
Fri Jun 14 00:14:29 2013 Tanaka Akira <akr@fsij.org> Fri Jun 14 00:14:29 2013 Tanaka Akira <akr@fsij.org>
* bignum.c (bigdivrem): Zero test condition simplified. * bignum.c (bigdivrem): Zero test condition simplified.

10
NEWS
View file

@ -43,6 +43,10 @@ with all sufficient information, see the ChangeLog file.
=== Core classes compatibility issues (excluding feature bug fixes) === Core classes compatibility issues (excluding feature bug fixes)
* Kernel#untrusted?, untrust, and trust
* These methods are deprecated and their behavior is same as tainted?,
taint, and untaint, respectively. If $VERBOSE is true, they show warnings.
* IO * IO
* incompatible changes: * incompatible changes:
* open ignore internal encoding if external encoding is ASCII-8BIT. * open ignore internal encoding if external encoding is ASCII-8BIT.
@ -120,4 +124,10 @@ with all sufficient information, see the ChangeLog file.
It gets encoding argument to convert before percent encode. It gets encoding argument to convert before percent encode.
UTF-16 strings aren't converted to UTF-8 before percent encode by default. UTF-16 strings aren't converted to UTF-8 before percent encode by default.
=== Built-in global variables compatibility issues
* $SAFE
* $SAFE=4 is obsolete. If $SAFE is set to 4 or larger, an ArgumentError
is raised.
=== C API updates === C API updates

7
doc/security.rdoc
View file

@ -21,12 +21,7 @@ Ruby provides a mechanism to restrict what operations can be performed by Ruby
code in the form of the <code>$SAFE</code> variable. code in the form of the <code>$SAFE</code> variable.
However, <code>$SAFE</code> does not provide a secure environment for executing However, <code>$SAFE</code> does not provide a secure environment for executing
untrusted code even at its maximum level of +4+. <code>$SAFE</code> is untrusted code.
inherently flawed as a security mechanism, as it relies on every unsafe
operation performed by any C method to be guarded by a <code>$SAFE</code>
check. If this check is ever missed, the entire security of the system is
compromised. <code>$SAFE</code> also does not offer any protection against
denial of service attacks.
If you need to execute untrusted code, you should use an operating system level If you need to execute untrusted code, you should use an operating system level
sandboxing mechanism. On Linux, ptrace or LXC can be used to sandbox sandboxing mechanism. On Linux, ptrace or LXC can be used to sandbox