From: "jeremyevans0 (Jeremy Evans)" Date: 2012-05-08T14:34:14+09:00 Subject: [ruby-core:44935] [ruby-trunk - Feature #6409] public_send is easily bypassed Issue #6409 has been updated by jeremyevans0 (Jeremy Evans). I see no reason to special case this. send is a public method, therefore public_send should be allowed to call it. Attempting to deny access to send for safety reasons is pointless considering that instance_eval is public can be used to work around the issue in the same way: t.public_send(:instance_eval, 'secret') t.public_send(:instance_eval, 'exec("rm -rf ~")') public_send doesn't imply safety, at all, and it was not designed for such a purpose. ---------------------------------------- Feature #6409: public_send is easily bypassed https://bugs.ruby-lang.org/issues/6409#change-26523 Author: postmodern (Hal Brodigan) Status: Open Priority: Normal Assignee: Category: core Target version: 2.0.0 =begin (({public_send})) can easily be bypassed, by using it to call (({send})). (({public_send})) should explicitly not allow calling (({send})). class Test private def secret "top secret" end end t = Test.new t.public_send(:secret) # => NoMethodError: private method `secret' called for # t.public_send(:send, :secret) # => "top secret" t.public_send(:send, :exec, "rm -rf ~") =end -- http://bugs.ruby-lang.org/