From: "spatulasnout (B Kelly)" Date: 2013-06-02T12:09:18+09:00 Subject: [ruby-core:55230] [ruby-trunk - Feature #8468] Remove $SAFE Issue #8468 has been updated by spatulasnout (B Kelly). shugo (Shugo Maeda) wrote: > > Shibata-san, a developer of tDiary, which is the only application using $SAFE == 4, > also agreed to remove it, so today is a good day to say goodbye to $SAFE (at least > level 4). For the record, our C++ application embeds ruby (currently both 1.8.4 and 1.9.3 interpreters), and we've been using $SAFE == 4 since 2006 or so. As I'd described in [ruby-core:36950] -- We use $SAFE = 4 to create a sandbox for the execution of semi-trusted scripts, conforming to our application's plug-in API. "Semi-trusted" meaning of third-party origin, but not intentionally malicious. (I wouldn't bet anything valuable that our $SAFE = 4 sandbox could contain a maliciously coded script intent on breaking out of it.) The specific case we're guarding against is a well-intentioned but buggy third-party plug-in, which, when installed by one of our users and executed by our application, might end up destroying data on the user's filesystem. The $SAFE = 4 sandbox only allows I/O through our plug-in API, which restricts I/O to only the set of subdirectories and/or files that are pertinent to the operation being requested of the plug-in. * * * Note, I'm not particularly wedded to the $SAFE security model. (I have used $SAFE = 1 in a few web/CGI scripts.) What I'd really like is a mechanism in ruby that would provide a secure sandbox that could contain completely untrusted code. Regards, Bill ---------------------------------------- Feature #8468: Remove $SAFE https://bugs.ruby-lang.org/issues/8468#change-39617 Author: shugo (Shugo Maeda) Status: Feedback Priority: Normal Assignee: shugo (Shugo Maeda) Category: core Target version: current: 2.1.0 Yesterday, at GitHub Tokyo drinkup (thanks, GitHub!), Matz agreed to remove the $SAFE == 4 feature from Ruby 2.1. Shibata-san, a developer of tDiary, which is the only application using $SAFE == 4, also agreed to remove it, so today is a good day to say goodbye to $SAFE (at least level 4). Furthermore, I'm wondering whether $SAFE should be removed entirely, or not. Is there anyone using $SAFE? -- http://bugs.ruby-lang.org/