Wednesday, 15 September 2010

ruby - What's the equivalent to $SAFE=4? -



ruby - What's the equivalent to $SAFE=4? -

i playing threads , eval when ran issue. code is:

thread = thread.start { $safe = 4; eval("`touch ~/test`") } thread.join

but results in error:

argumenterror: $safe=4 obsolete (irb):2:in `block in irb_binding'

i found $safe=4 became obsolete in ruby 2.1:

$safe=4 obsolete. if $safe set 4 or larger, argumenterror raised.

but not mentioned should used instead. there equivalent $safe=4? want run eval safest way.

the way see exploit binding safe evals

http://rdoc.info/stdlib/core/2.1.0/binding

class demo def initialize(n) @secret = n end def get_binding homecoming binding() end end k1 = demo.new(99) b1 = k1.get_binding k2 = demo.new(-3) b2 = k2.get_binding eval("@secret", b1) #=> 99 eval("@secret", b2) #=> -3 eval("@secret") #=> nil

ruby eval

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)