[#44036] [ruby-trunk - Feature #6242][Open] Ruby should support lists — "shugo (Shugo Maeda)" <redmine@...>
20 messages
2012/04/01
[#44084] [ruby-trunk - Bug #6246][Open] 1.9.3-p125 intermittent segfault — "jshow (Jodi Showers)" <jodi@...>
22 messages
2012/04/02
[#44156] [ruby-trunk - Feature #6265][Open] Remove 'useless' 'concatenation' syntax — "rosenfeld (Rodrigo Rosenfeld Rosas)" <rr.rosas@...>
45 messages
2012/04/06
[#44207] [ruby-trunk - Feature #6265] Remove 'useless' 'concatenation' syntax
— "mame (Yusuke Endoh)" <mame@...>
2012/04/09
[#44211] Re: [ruby-trunk - Feature #6265] Remove 'useless' 'concatenation' syntax
— Yukihiro Matsumoto <matz@...>
2012/04/09
Hi,
[#44232] Re: [ruby-trunk - Feature #6265] Remove 'useless' 'concatenation' syntax
— SASADA Koichi <ko1@...>
2012/04/09
(2012/04/09 14:19), Yukihiro Matsumoto wrote:
[#44163] [ruby-trunk - Bug #6266][Open] encoding related exception with recent integrated psych — "jonforums (Jon Forums)" <redmine@...>
10 messages
2012/04/06
[#44233] [ruby-trunk - Bug #6274][Open] Float addition incorrect — "swanboy (Michael Swan)" <swanyboy4@...>
3 messages
2012/04/09
[#44303] [ruby-trunk - Feature #6284][Open] Add composition for procs — "pabloh (Pablo Herrero)" <pablodherrero@...>
57 messages
2012/04/12
[#44329] [ruby-trunk - Feature #6287][Open] nested method should only be visible by nesting/enclosing method — "botp (bot pena)" <botpena@...>
4 messages
2012/04/13
[#44349] [ruby-trunk - Feature #6293][Open] new queue / blocking queues — "tenderlovemaking (Aaron Patterson)" <aaron@...>
10 messages
2012/04/13
[#44354] [ruby-trunk - Feature #6293][Assigned] new queue / blocking queues
— "mame (Yusuke Endoh)" <mame@...>
2012/04/14
[#44357] Re: [ruby-trunk - Feature #6293][Assigned] new queue / blocking queues
— Aaron Patterson <tenderlove@...>
2012/04/14
On Sat, Apr 14, 2012 at 10:58:12AM +0900, mame (Yusuke Endoh) wrote:
[#44384] Re: [ruby-trunk - Feature #6293][Assigned] new queue / blocking queues
— SASADA Koichi <ko1@...>
2012/04/16
Hi,
[#44391] Re: [ruby-trunk - Feature #6293][Assigned] new queue / blocking queues
— Aaron Patterson <tenderlove@...>
2012/04/16
On Mon, Apr 16, 2012 at 06:25:59PM +0900, SASADA Koichi wrote:
[#44372] Possible merge error of code in Issue 4651 on to Ruby 1.9.3-p125? — "Blythe,Aaron" <ABLYTHE@...>
tl;dr I believe I have uncovered a merge error to ruby 1.9.3-p125 from Issue 4651. Please advise if this is the same issue, or if a separate issue needs to be logged. Details below.
3 messages
2012/04/16
[#44431] [Backport93 - Backport #6314][Open] Backport r35374 and r35375 — "drbrain (Eric Hodel)" <drbrain@...7.net>
4 messages
2012/04/18
[#44432] [ruby-trunk - Feature #6315][Open] handler to trace output of each line of code executed — "ankopainting (Anko Painting)" <anko.com+ruby@...>
9 messages
2012/04/18
[#44533] [ruby-trunk - Bug #6341][Open] SIGSEGV: Thread.new { fork { GC.start } }.join — "rudolf (r stu3)" <redmine@...>
24 messages
2012/04/22
[#44564] [ruby-trunk - Bug #6341] SIGSEGV: Thread.new { fork { GC.start } }.join
— "kosaki (Motohiro KOSAKI)" <kosaki.motohiro@...>
2012/04/23
[#44573] Re: [ruby-trunk - Bug #6341] SIGSEGV: Thread.new { fork { GC.start } }.join
— Yusuke Endoh <mame@...>
2012/04/24
Hello,
[#44577] Re: [ruby-trunk - Bug #6341] SIGSEGV: Thread.new { fork { GC.start } }.join
— KOSAKI Motohiro <kosaki.motohiro@...>
2012/04/24
On Mon, Apr 23, 2012 at 11:17 PM, Yusuke Endoh <mame@tsg.ne.jp> wrote:
[#44582] Re: [ruby-trunk - Bug #6341] SIGSEGV: Thread.new { fork { GC.start } }.join
— Yusuke Endoh <mame@...>
2012/04/24
Hello,
[#44596] Re: [ruby-trunk - Bug #6341] SIGSEGV: Thread.new { fork { GC.start } }.join
— KOSAKI Motohiro <kosaki.motohiro@...>
2012/04/24
(4/24/12 6:55 AM), Yusuke Endoh wrote:
[#44579] [ruby-trunk - Bug #6341] SIGSEGV: Thread.new { fork { GC.start } }.join
— "naruse (Yui NARUSE)" <naruse@...>
2012/04/24
[#44581] Re: [ruby-trunk - Bug #6341] SIGSEGV: Thread.new { fork { GC.start } }.join
— KOSAKI Motohiro <kosaki.motohiro@...>
2012/04/24
> kosaki (Motohiro KOSAKI) wrote:
[#44540] [ruby-trunk - Bug #6343][Open] Improved Fiber documentation — "andhapp (Anuj Dutta)" <anuj@...>
6 messages
2012/04/23
[#44612] [ruby-trunk - Feature #6354][Open] Remove escape (break/return/redo/next support) from class/module scope — "ko1 (Koichi Sasada)" <redmine@...>
8 messages
2012/04/25
[#44630] [ruby-trunk - Feature #6361][Open] Bitwise string operations — "MartinBosslet (Martin Bosslet)" <Martin.Bosslet@...>
31 messages
2012/04/26
[#44713] [ruby-trunk - Feature #6361] Bitwise string operations
— "MartinBosslet (Martin Bosslet)" <Martin.Bosslet@...>
2012/04/28
[#44731] Re: [ruby-trunk - Feature #6361] Bitwise string operations
— KOSAKI Motohiro <kosaki.motohiro@...>
2012/04/28
On Fri, Apr 27, 2012 at 8:53 PM, MartinBosslet (Martin Bosslet)
[#44759] Re: [ruby-trunk - Feature #6361] Bitwise string operations
— Joshua Ballanco <jballanc@...>
2012/04/29
On Saturday, April 28, 2012 at 8:52 AM, KOSAKI Motohiro wrote:
[#44636] [ruby-trunk - Bug #6364][Open] Segmentation fault happend when running test_cptr.rb — "raylinn@... (ray linn)" <raylinn@...>
9 messages
2012/04/26
[#44667] possible YAML bug in ruby 1.9.3p125? — Young Hyun <youngh@...>
YAML in ruby 1.9.3p125 seems to have a bug reading in YAML from older Ruby versions. Specifically, YAML in 1.9.3p125 mis-parses text like "123_456" as a number (just as in Ruby) rather than as a string, which appears to be the correct behavior according to the YAML specification.
4 messages
2012/04/27
[#44686] [BUG] not a node 0x07 — ronald braswell <rpbraswell@...>
Running ruby 1.8.6 on Solaris 10.
7 messages
2012/04/27
[#44688] Re: [BUG] not a node 0x07
— "NARUSE, Yui" <naruse@...>
2012/04/27
2012/4/28 ronald braswell <rpbraswell@gmail.com>:
[#44694] Re: [BUG] not a node 0x07
— ronald braswell <rpbraswell@...>
2012/04/27
I have heard reports of this on 1.9.x. Do you know if this problem has
[#44704] [ruby-trunk - Feature #6373][Open] public #self — "trans (Thomas Sawyer)" <transfire@...>
61 messages
2012/04/27
[#44735] [ruby-trunk - Feature #6373] public #self
— "matz (Yukihiro Matsumoto)" <matz@...>
2012/04/28
[#59892] [ruby-trunk - Feature #6373] public #self
— ruby-core@...
2014/01/20
Issue #6373 has been updated by Marc-Andre Lafortune.
[#44743] [ruby-trunk - Feature #6375][Open] Python notation for literal Hash — "alexeymuranov (Alexey Muranov)" <redmine@...>
10 messages
2012/04/28
[#44748] [ruby-trunk - Feature #6376][Open] Feature lookup and checking if feature is loaded — "trans (Thomas Sawyer)" <transfire@...>
13 messages
2012/04/28
[#44832] [ruby-trunk - Feature #6376][Feedback] Feature lookup and checking if feature is loaded
— "mame (Yusuke Endoh)" <mame@...>
2012/05/03
[#44835] Re: [ruby-trunk - Feature #6376][Feedback] Feature lookup and checking if feature is loaded
— Nikolai Weibull <now@...>
2012/05/03
On Thu, May 3, 2012 at 6:02 AM, mame (Yusuke Endoh) <mame@tsg.ne.jp> wrote:
[ruby-core:44716] [ruby-trunk - Feature #5455] $SAFE should be removed
From:
"headius (Charles Nutter)" <headius@...>
Date:
2012-04-28 03:25:50 UTC
List:
ruby-core #44716
Issue #5455 has been updated by headius (Charles Nutter). In an effort to be constructive here, I will attempt to break out specific, concrete permissions revoked at each SAFE level (or conversely, granted as SAFE levels are reduced). I base this on the publicly available edition of Programming Ruby (http://www.ruby-doc.org/docs/ProgrammingRuby/) under the chapter "Locking Ruby in the Safe", since I do not have a current copy handy. I attempt to phrase these as they would be described in security documentation, with a proposed "permission" name for illustrative purposes. These permissions would NOT necessarily be grouped as in the SAFE levels, other than for SAFE level compatibility. The user would be able to mix and match them at will, as with Java security policies. Some permissions may imply other permissions must be granted. I also omit restrictions relating to tainting, since I believe tainting is a fundamentally flawed mechanism of security. From SAFE level 1: * OptionsFromEnvironment - whether RUBYLIB and RUBYOPT are observed * SearchCurrentDirectory - whether . is added to the load path. In 1.9 this one is moot, since . is not added to load path by default * NonlocalScripts - whether -e -i -I -r -s -S and -x options are observed * ExecFromWorldWritable - whether external commands can be executed if the directory containing them is world-writable * EvalString - whether arbitrary strings can be evaluated. Either allow strings or do not; don't rely on tainting bits for "safety". * LoadFile - whether external files can be loaded. Same argument regarding tainting. * QueryIOStatus - whether IO channels' statuses can be queried or modified. (I'm not quite sure what "status" means in this context) * ExecCommand - whether external commands can be executed. * SignalTrap - whether signals can be trapped and handled. From SAFE level 2: * ManipulateDirectories - whether directories can be modified, changed into, or chrooted. Note that Java provides for file/dir permissions to be granted on a per-file or per-hierarchy basis, which is much more flexible. You grant access to what you want to allow access to. * LoadFromWorldWritable - whether files can be loaded from directories that are world-writable. * LoadFromHomeBase - whether files can be loaded from paths starting with ~. * QueryFileStatus - whether methods like File.stat, File.umask can be used. * ModifyFileStatus - whether methods like File.chown, File.chmod can be used. Java may have a better grouping of these operations, I'm not sure. * ModifyProcess - whether methods like Kernel#fork, Process.setpgid, etc can be used. From SAFE level 3: NONE..the only restrictions at this level are related to tainting. From SAFE level 4: * ModifyGlobalVariable - whether global variables can be updated. * AccessInstanceVariableExternally - whether methods like instance_variable_get can be used. * ModifyEnvironmentVariable - whether ENV changes are permitted. * CloseFile - whether already open files can be closed. * OpenFile - whether new files can be opened. * FreezeObject - whether objects not already frozen can be frozen. * AlterVisibility - whether existing methods can have their visibility changed. * AliasMethod - whether new method aliases can be defined. * QueryMetadata - whether method and variable lists can be queried. * DefineMethod - whether methods can be defined, redefined, removed, or undef'ed. * ModifyObject - whether the Object class can be modified in any way. Perhaps includes top-level? * ModifyInstanceVariablesExternally - whether instance variables can be modified or removed via instance_variable_set and friends. * ModifyThread - whether currently running threads can be modified in any way. * ModifyThreadLocalVariable - whether thread-local variables can be modified. * TerminateThread - whether threads can be terminated from outside the thread itself. * ModifyThreadGroup - whether threads can be removed or added to thread groups. * ExitProcess - whether the current process can be terminated. * IncludeModule - whether modules can be included into existing class hierarchies. * WalkObjects - whether methods like each_object or _id2ref are allowed. * WriteToIO - whether writes to IO channels are allowed. * DefineAutoload - whether new autoloads can be defined. This is just a rough example from 15 minutes of flipping the safe level documentation around a little. It's obviously not all-encompassing; there are things you might expect an attacker to do in untrusted code that aren't covered here. But hopefully it shows how the current safe levels could be broken into finer-grained permissions that users can assembly in any way they choose, and which different implementations can implement either in terms of VM restrictions or OS-level restrictions. ---------------------------------------- Feature #5455: $SAFE should be removed https://bugs.ruby-lang.org/issues/5455#change-26277 Author: kosaki (Motohiro KOSAKI) Status: Open Priority: Normal Assignee: Category: Target version: 3.0 see [ruby-dev:44554] [ruby-dev:44572] -- http://bugs.ruby-lang.org/