Issue #8468 has been updated by spatulasnout (B Kelly).


shugo (Shugo Maeda) wrote:
>
> Shibata-san, a developer of tDiary, which is the only application using $SAFE == 4,
> also agreed to remove it, so today is a good day to say goodbye to $SAFE (at least
> level 4).

For the record, our C++ application embeds ruby
(currently both 1.8.4 and 1.9.3 interpreters),
and we've been using $SAFE == 4 since 2006 or so.

As I'd described in [ruby-core:36950] --

We use $SAFE = 4 to create a sandbox for the
execution of semi-trusted scripts, conforming
to our application's plug-in API.

"Semi-trusted" meaning of third-party origin,
but not intentionally malicious.

(I wouldn't bet anything valuable that our
$SAFE = 4 sandbox could contain a maliciously
coded script intent on breaking out of it.)

The specific case we're guarding against is
a well-intentioned but buggy third-party
plug-in, which, when installed by one of our
users and executed by our application, might
end up destroying data on the user's
filesystem.

The $SAFE = 4 sandbox only allows I/O through
our plug-in API, which restricts I/O to only
the set of subdirectories and/or files that
are pertinent to the operation being requested
of the plug-in.

  *  *  *

Note, I'm not particularly wedded to the $SAFE
security model.  (I have used $SAFE = 1 in a
few web/CGI scripts.)

What I'd really like is a mechanism in ruby
that would provide a secure sandbox that could
contain completely untrusted code.


Regards,

Bill

----------------------------------------
Feature #8468: Remove $SAFE
https://bugs.ruby-lang.org/issues/8468#change-39617

Author: shugo (Shugo Maeda)
Status: Feedback
Priority: Normal
Assignee: shugo (Shugo Maeda)
Category: core
Target version: current: 2.1.0


Yesterday, at GitHub Tokyo drinkup (thanks, GitHub!), Matz agreed to remove the $SAFE == 4 feature from Ruby 2.1.
Shibata-san, a developer of tDiary, which is the only application using $SAFE == 4, also agreed to remove it, so today is a good day to say goodbye to $SAFE (at least level 4).

Furthermore, I'm wondering whether $SAFE should be removed entirely, or not.
Is there anyone using $SAFE?


-- 
http://bugs.ruby-lang.org/