Hi,

This is ruby-dev summary 27761-28026.

----
lity information (webrick, xmlrpc)

Matz reported two vulnerabilities about webrick and xmlrpc (These
problems allow DoS attack) on ruby 1.8.2 or earlier.  Problems were
fixed on ruby 1.8.3, so it is recommended for all to use ruby 1.8.3 or
later.  There are also patches for ruby 1.8.2.

  ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-webrick-dos-1.patch
  ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-xmlrpc-dos-1.patch

Details of these problems will be posted independently.


[ruby-dev:27794] sample/svr.rb DoS vulnerability

Akira Tanaka reported DoS attack vulnerability of sample/svr.rb.  He
also reported following sequence to reproduce DoS attack.

For more detail, see [ruby-dev:27794].


[ruby-dev:27795] DRb DoS vulnerability


Akira Tanaka also pointed out DoS attack vulnerability on DRb.

For more detail, see [ruby-dev:27795].


BTW, above 4 vulnerabilities are *all reported by Akira Tanaka*.


[ruby-dev:27871] Numeric and Complex

Matz requested for comments about following problem:

Ruby's Numeric class includes Comparable module.  This is based on
assumption that values are linear.  However Complex value is not linear.
Current implementation of Complex#<=> is based on Complex#abs, but
Complex value is used as Range bound.

To solve this problem, Matz proposed following solutions:

* Make new super class of Integer, Float, Rational, etc.
  New class includes Comparable.
* All of classes (Integer, Float, Rational) includes Comparable.
* Change Complex super class other than Numeric.
* Keeping things as they are.

After active discussion, Matz decided follows:

* undef Complex#<=>
* add a new method Numeric#scalar?


[ruby-dev:27890] rb_funcall2() for protected method

Nobuyoshi Nakada proposed that rb_funcall2() should invoke protected
method (with a patch to change this behavior).

Matz accepted this change.  And this change enable us to run an example
of [ruby-talk:169057].


[ruby-dev:27904] ruby 1.8.4 preview2

ruby 1.8.4 preview2 was released.

  ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.4-preview2.tar.gz
  MD5: e5a48054fb34f09da17e8e8f04b8c706

This is also announced at [ruby-core:06798] ruby 1.8.4 preview2
  http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/06798

If you have time, please check this preview2.


[ruby-dev:27972] A Sample of Ruby/Tk

Hidetoshi NAGAI proposed to commit a sample of Ruby/Tk which posted at
[ruby-talk:169227] because this sample seems useful.

Matz accepted to commit it in ruby 1.8.4.


[ruby-dev:27984] modified restarg with zsuper

Koichi Sasada proposed that following example should not raise
ArgumentError because "super" should work as "super(a, *b)" in this case.

	class C
	  def m(a, b)
	  end
	end
	
	class D < C
	  def m(a, *b)
	    b[0] ||= 2 # if no rest arguments are given, add one
	    super
	  end
	end
	
	D.new.m(1, 2)  # OK, no problem
	
	D.new.m(1)
	# wrong number of arguments (1 for 2) (ArgumentError)
	# in current interpreter (1.9.0)


Matz agreed this proposal.

Current YARV performs this behavior :)


[ruby-dev:27991] GC.always

Akira Tanaka proposed "GC.always" method.  This method forces ruby
interpreter to invoke GC whenever it is invokable.  It means that GC
will be invoked at every object allocations, every memory allocations.
This feature helps interpreter debugging around GC bugs.

Matz refused "GC.always" method name (didn't refused this feature, only
method name).  Another proposed method name is "GC.debug".

This issue is still open.


[ruby-dev:27996] How about "Time Literal"?

take_tk proposed that "Time Literal" represented by ISO 8601.  For
example, 19850412T101530 means Time object as "12 Apr 1985 10:15:30".

This issue is still open.

----
ruby-dev summary index: http://i.loveruby.net/en/ruby-dev-summary.html

-- 
// SASADA Koichi at atdot dot net