Hi,

In message "[ruby-talk:02650] [1.5] eval / module_eval"
    on 00/05/09, ts <decoux / moulon.inra.fr> writes:

| I'm still trying to understand the security mechanism of ruby.
|
| Why there is a difference between eval and module_eval ?

eval() evaluates a string under the current context.  module_eval()
evaluates a string/block under the context of module.  If you evaluate
`def' statement by eval(), a method will be defined to the current
class/module.  A method will be defined to the receiver (class or
module) by module_eval().

| Apparently eval is protected with (from rb_f_eval) :
|
|    if (ruby_safe_level >= 4) {
|	Check_Type(src, T_STRING);
|    }
|    else {
|	Check_SafeStr(src);
|    }
|
| and module_eval with (from eval_under) :
|
|    Check_SafeStr(src);

And this means ... well ... I'm not perfect.  It's a bug.

							matz.