>>>>> "n" == nobu nokada <nobu.nokada / softhome.net> writes:

n> I guess this change can be a problem only when a certain class
n> is defined twice or more for irrelevant purpose, but in that
n> case the older is no longer accessible, so it already should be
n> a problem without the change.

 Just to give you an example : I've released a new version of plruby
 because it can exist a problem.

 plruby define a module, then some methods and it immediately set $SAFE
 with a value >= 4, because it run under the uid of postgres.

 With 1.6.6, if ruby don't create a new module but give an old module with
 methods written in C it can exist a problem. If someone can access these
 methods, he can break the security of plruby because these methods are
 probably not written to work with $SAFE >= 4.

 This mean that when you write an extension wich must work with $SAFE > 0,
 you must test if a class (or a module) exist before trying to create it.
 If it exist you must stop, otherwise you can inherit methods that you
 can't trust.

 If someone use plruby with ruby >= 1.6.6, it's best to load the new
 version (0.2.5) because it can exist a security problem. Sorry.


Guy Decoux