Phillip Gawlowski wrote:
...
A lot of stuff that completely failed to address my comment, which was
about code injection, not about someone stealing your source code.

> If I'm able to read source code in a, hopefully, protected directory,
> I'm not going to bother with code injection.

Completely disagree there. As soon as I see that mongrel's running,
I have a plan of attack.

> I'd be doing something like
> $ passwd
> Type the new password for root:

If you already have shell access, yes. But security's already broken
then.

> Also: How has introduced an issue that wasn't there already with, say,
> Perl, Tcl, or PHP (go through a list of PHP functions that you should
> close *at least* one of those days. Fun)?

It hasn't. It's introduced different versions of the same thing,
but all of these are easier than the equivalent attacks on object
code.

My code ran NASDAQ and a number of banks' Internet services for over a
decade. I was a contributor to OpenSSL years before it had that name.
I also did the first open source CA server, long before openca or openid.
I have a little experience with this stuff, even if it's not what I care
for any more.

> Or with a hexeditor. Heck, download one from someplace, if you are able
> to see the sources of a Ruby app.

If you have the app to begin with. If you only have a web interface,
you don't have the app yet. You need to inject code to get it, or to
do worse.

> In short: Ruby makes the defense as shallow as Perl or Python.

Agree. But that's shallower than an object-code only system.