-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Apr 14, 2008, at 11:58 PM, Rick DeNatale wrote:
> On Mon, Apr 14, 2008 at 12:32 PM, Robert Dober  
> <robert.dober / gmail.com> wrote:
>> On Mon, Apr 14, 2008 at 4:42 PM, Marc Heiler  
>> <shevegen / linuxmail.org> wrote:
>>>> I however wonder if the need of doing metaprogramming to
>>>> find your classes is really a good sign for your design.
>>>
>>> I am not to judge about his design, but I believe using .send and
>>> Object.const_get is not really "metaprogramming". They seem
>>> to be perfectly valid Ruby idioms.
>>
>> Oh I did not want to judge, I am always having strong opinions  
>> loosely
>> hold (C) Rick de Natale ;).
>> I am also open to discussion where metaprogramming begins.
>
> Whether or not send and const_get are metaprogramming aside, I think
> the real issue here is security.
>
> Using strings which come from a user and arbitrarily getting a class
> or sending a message can open Pandora's box.
>
> Not that it's to be avoided completely, just that it raises a flag to
> think about the security aspects.
>
> -- 
> Rick DeNatale
>
> My blog on Ruby
> http://talklikeaduck.denhaven2.com/
>

Actually, in Ruby 1.8, this is a real issue. In Ruby 1.8, #const_get
finds every valid constant within the context of your Module, even
inherited ones.

 >> class A
 >> end
=> nil
 >> module C
 >>   class B
 >>   end
 >> end
=> nil
 >> C.const_get("A")
=> A
 >>

In Ruby 1.9, there is the possibility avoiding this:

 >> class A
 >> end
=> nil
 >> module C
 >>   class B
 >>   end
 >> end
=> nil
 >> C.const_get("A", false) #don't search for inherited classes
=> A
 >>

This gives you the possibility to group allowed Constants in a Module.

Regards,
Florian Gilcher
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkgD2eQACgkQJA/zY0IIRZYAmQCfQZVPuWM+nUeekiKhtA3ch+5o
qMUAoJZfnL859DD78OfjgobsKm1F/13o
=aVwX
-----END PGP SIGNATURE-----