>>>>> "j" == justin crawford <justin.crawford / cusys.edu> writes:

j> In eRuby, the same series of calls with the same parameters put
j> "Insecure operation - initialize" into ldap.rb's $! variable at the
j> moment of initialization:

 Well, if I remember well eruby run with $SAFE = 1

j>    1017     def initialize server
j>    1018       begin
j>    1019         @conn = TCPsocket.new( server[:host], server[:port] )
                                          ^^^^^^^^^^^^^

 This is this variable which must be, carefully, untainted

moulon% ruby -rsocket -e 'TCPsocket.new("moulon".taint, 21)'
moulon%
 
moulon% ruby -rsocket -e '$SAFE = 1; TCPsocket.new("moulon".taint, 21)'
-e:1:in `initialize': Insecure operation - initialize (SecurityError)
	from -e:1
moulon% 


Guy Decoux