>>>>> "F" == Florian Gross <flgr / ccan.de> writes:

F> I believe this one to be safe, but I'd prefer to be proven the opposite 
F> by you instead of some malicious attacker.

 it depend how you use the object after this ...

svg% cat b.rb
#!/usr/bin/ruby
def safe(code, sandbox = nil)
  error, result = nil, nil
  begin
    thread = Thread.new do
      sandbox ||= Object.new.taint
      yield(sandbox) if block_given?
      $-w = nil
      $SAFE = 5
      eval(code, sandbox.send(:binding))
    end
    result = secure_object(thread.value)
  rescue Exception => error
    error = secure_object(error)
  end
  return result, error
end

def secure_object(obj)
  # We can't dup immediate values. But that's no problem
  # because most of them can't have any singleton methods
  # anyway. (nil, true and false can, but they can't be
  # defined in safe contexts.)
  immediate_classes = [Fixnum, Symbol, NilClass, TrueClass, FalseClass]
  return obj if immediate_classes.any? { |klass| klass === obj }
  # Dup won't copy any singleton methods and without any
  # of them the Object will be safe. (But we can't call
  # the Object's .dup because it might be evil already.)
  safe_dup = Object.instance_method(:dup).bind(obj)
  safe_dup.call
end



p safe(IO::read("aa"))
svg% 

svg% b.rb
[#<Object:0x40098e18 @a=hello :-)>, nil]
svg% 

svg% cat b.rb
cat: b.rb: No such file or directory
svg% 



Guy Decoux