On 29/08/06, Eric Hodel <drbrain / segment7.net> wrote: > On Aug 29, 2006, at 2:26 PM, Farrel Lifson wrote: > > I'm implementing a system where users will be able to execute short > > snippets of ruby code and It'll be executing in a thread with $SAFE > > set to 4. From my reading it seems like there have been some > > vulnerabilities where users can run some mischevous code. Is this > > still the case? I know _why is working on Sandbox but I don't think I > > will have it avaiable in my environment. I'm basically doing something > > like the following: > > > > thread = Thread.new do > > $SAFE=4 > > instance_eval(userCode) > > end > > # 10 second timeout > > if !thread.join(10) > > thread.kill > > end > > > > That tries to get rid of any potential DOS style attacks. Is there > > anything else that could go wrong with this approach? > > 999999**99999 > Thread.critical = true > > There are other things that will DOS a $SAFE = 4 sandbox. > > -- > Eric Hodel - drbrain / segment7.net - http://blog.segment7.net > This implementation is HODEL-HASH-9600 compliant > > http://trackmap.robotcoop.com > > > > Would undef'ing Thread#criticial= before calling instance_eval help in this regard?