Issue #8468 has been updated by Student (Nathan Zook).


boris_stitnicky (Boris Stitnicky) wrote:
> @Nathan: Do you mean that Perl has $SAFE = 1 by default?

No, I'm saying that perl has a taint property very much like ruby's, and that perl has a safe mode very similar to ruby's $SAFE = 1, and that the perl community takes it seriously.

The result is that the nonsense which we hit in Jan hasn't been a problem there for a long, long time.  I'm not saying that their are no security flaws in perl programs, far from it.  I'm saying that trusting user input by default in a web app in the 21st century is a special kind of stupid.

----------------------------------------
Feature #8468: Remove $SAFE
https://bugs.ruby-lang.org/issues/8468#change-39631

Author: shugo (Shugo Maeda)
Status: Feedback
Priority: Normal
Assignee: shugo (Shugo Maeda)
Category: core
Target version: current: 2.1.0


Yesterday, at GitHub Tokyo drinkup (thanks, GitHub!), Matz agreed to remove the $SAFE == 4 feature from Ruby 2.1.
Shibata-san, a developer of tDiary, which is the only application using $SAFE == 4, also agreed to remove it, so today is a good day to say goodbye to $SAFE (at least level 4).

Furthermore, I'm wondering whether $SAFE should be removed entirely, or not.
Is there anyone using $SAFE?


-- 
http://bugs.ruby-lang.org/