Hi all,

This is a summary of ruby-dev ML in these days.

[ruby-dev:26100] FileUtils.rm_rf security problem (contd.)

  TANAKA Akira reported local vulnerability of FileUtils.rm_r.
  This problem is known as TOCTTOU (time-of-check-to-time-of-use)
  problem.  For details of this vulnerability, see following cases:

      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452

  Minero Aoki, the maintainer of fileutils.rb, implemented several
  versions of rm_r but they are still incomplete.

  This issue is still open.

[ruby-dev:26128] ruby needs two Ctrl-C for termination

  Tanaka Akira reported that ruby does not exit on single Ctrl-C
  with following program:

    trap(:INT, "EXIT")
    Thread.start { Thread.pass }
    STDIN.sysread(4096)

  This issue is still open.

[ruby-dev:26132] Hash#hash on 1.9

  H.Yamamoto reported that Hash#hash returns different hash value
  for same hash tables:

    % ruby -e '
    h = {1=>nil, 2=>nil, []=>nil, {}=>nil, 5=>nil}
    p h.hash
    p h.clone.hash
    '
    3640
    10552

  Matz resolved this problem by removing custom Hash#hash and Hash#eql?.

[ruby-dev:26156] ruby 1.8.3 preview1

  Matz released ruby 1.8.3 preview1.
  Here is a list of known bugs.  This list includes additional items.

    [ruby-dev:24243] Re: private load and Module.nesting
    [ruby-dev:26010] rb_attr_get may warn
    [ruby-dev:26100] FileUtils.rm_rf security problem
    [ruby-dev:26128] ruby needs two ^C for termination

    [ruby-core:4622] tempfile.rb
    [ruby-core:4326] RDoc parse_c.rb for C ext libs consisting of many *.c files
    [ruby-core:4328] Re: RDoc parse_c.rb for C ext libs consisting of many *.c files
    [ruby-core:4302] [PATCH] RDoc parse_rb.rb: Logic for def Builtin.method() end
    [ruby-core:4572] [PATCH] RDoc - :nodoc: and macro in C
    [ruby-core:4869] [BUG] Infinite loop on YAML.dump (Re: ruby-list:40801)

  Masahiro Tomita claimed that ruby should not warn when loading
  getopts, with $VERBOSE=false.  Matz agreed with him.  In addition,
  WATANABE Hirofumi said that optparse.rb is too diffucult to use,
  he recommended to bandle ropt instead.  For details of ropt, refer
  RAA:

    http://raa.ruby-lang.org/project/ropt/

[ruby-dev:26180] glob without String

  Nobuyoshi Nakada posted a patch which allows rb_glob() call
  before ruby_init().  This patch was incorporated.


-- Minero Aoki

ruby-dev summary index:
http://i.loveruby.net/en/ruby-dev-summary.html