From: "Charles Oliver Nutter" <charles.nutter / sun.com>
>
> In general I think Binding.of_caller is a really, really bad idea 
> because it exposes internal details every method call in *your* code to 
> the whims of *someone else's* code. Basically, it breaks the most sacred 
> encapsulation possible, a method call's local variables.
> 
> Imagine a case like this:
> 
> def secure_action(encrypted_password)
>   decrypted_password = decrypt(encrypted_password)
>   authorize(decrypted_password)
>   do_secure_task
> end
> 
> If it were possible to modify do_secure task, or if you were simply 
> calling a third-party library, it could access the runtime variables of 
> the caller:
> 
> def do_secure_task
>   binding = Binding.of_caller
>   vars = eval 'local_variables', binding
>   vars.each do |name|
>     if name =~ /password/
>       use_for_evil(eval name, binding)
>     end
>   end
> end

If we're calling untrusted code and giving it full execution privileges, then
I think Binding.of_caller is the least of our worries.  The untrusted code
could as easily `rm -rf ~` or innumerable other evil things.

Untrusted code needs to be sandboxed.

Seems we could either make Binding.of_caller not work at all if $SAFE
is >= 3 ... or preferably, if it's possible for the interpreter to determine
whether the caller's binding would have a lower $SAFE level than the
current binding, then only raise a SecurityException in that case.

Would this address your security concerns?


Regards,

Bill