From: Eric Wong <normalperson@...>
Date: 2014-10-20T20:24:58+00:00
Subject: [ruby-core:65819] Re: [ruby-trunk - Feature #10351] [PATCH] prevent CVE-2014-6277

How about supporting ENV.freeze instead?
Currently ENV.freeze is a no-op, this patch changes that:

http://80x24.org/spew/m/400e216159e74b65608f2f0b296817cc9823e3bb.txt

    ENV.freeze should behave like Hash#freeze and not allow future
    modifications to the ENV from pure Ruby libraries.

    Users may call ENV.freeze to prevent 3rd-party (pure) Ruby libraries
    from modifying the process environment any further.

    This cannot not defend against users who modify the environment using
    3rd-party C extensions, Fiddle, or FFI RubyGem