[ruby-talk:02692] Re: Tainting

< ^ > P N |<>|^_>< --- | ~ ...Help
(Reposted from ruby-talk ML to comp.lang.ruby.)

ts <decoux / moulon.inra.fr> writes:

Good stuff

matz / netlab.co.jp (Yukihiro Matsumoto) writes:

More good stuff...


Thank you both for all your trouble.


Here's the updated list:

  $SAFE >= 1
    * For setuid and setgid scripts, the environment variable
      RUBYLIB is not processed, and the current directory is not added
      to the path.
    * The environment variable RUBYOPT is not processed.
    * The command line options -e, -i, -I, -r, -s, -S, and -x are
      not allowed.
    * Processes can't be exec'd from \CF{\$PATH} if any directory
      in it is world-writable.
    * Can't manipulate or chroot to a directory whose name is a tainted
string.
    * Can't glob tainted strings.
    * Can't eval tainted strings.
    * Can't load or require a file whose name is a tainted string.
    * Can't manipulate or query the status of a file or pipe whose
      name is a tainted string.
    * Can't execute a system command or exec a program from a tainted
      string.
    * Can't pass \METHOD{trap} a tainted string.

  $SAFE >= 2
    * Can't change, make, or remove directories, or use chroot.
    * Can't load file in world-writable directory.
    * Can't load a file from a tainted filename starting with ~.
    * Can't use File.fstat, File.lstat, File.chmod, File.chown,
      File.umask, File.truncate, File.flock, IO.ioctl, IO.syscall,
      Kernel.fork, Kernel.trap.  Proc.setpgid, Proc.setsid,
      Proc.setpriority, Proc.setegid.
    * Can't handle signals using \METHOD{trap}.

  $SAFE >= 3
    * All objects are created tainted.
    * Can't untaint objects.

  $SAFE >= 4
    * Can't modify non-tainted array, hash, or string.
    * Can't modify global variable.
    * Can't access instance variables of non-tainted objects.
    * Can't change environment variable.
    * Can't close or reopen non-tainted files.
    * Can't freeze non-tainted objects.
    * Can't change visibility of methods (private/public/protected).
    * Can't make an alias in a non-tainted class or module.
    * Can't get meta information (such as method or variable lists).
    * Can't define, redefine, remove, undef method in a non-tainted
      class or module.
    * Can't modify \C{Object}.
    * Can't remove instance variables or consts from non tainted
      objects.
    * Can't manipulate threads, terminate a thread other than the
      current, or set \CF{abort\_on\_exception}.
    * Can't have thread local variables.
    * Can't raise an exception in a thread with a lower \$SAFE value.
    * Can't move threads between ThreadGroups.
    * Can't invoke \METHOD{exit}, \METHOD{exit!}, or \METHOD{abort}.
    * Can only load wrapped files, and can't include modules
      into non-tainted classes and modules.
    * Can't convert symbol ids to object references.
    * Can't write to files, pipes, or pipes.
    * Can't use \METHOD{autoload}.
    * Can't taint objects.