Under www.ruby.ch I have "my own" Ruby Sandbox running, which runs at level
2, i.e. allows "load"ing.

You can have the code (as a starting point), if you want.

Clemens

> -----Original Message-----
> From: Teague Sheridan [mailto:teague / apicom.com]
> Sent: Montag, 29. April 2002 07:05
> To: ruby-talk / ruby-lang.org
> Subject: Security bug in load()
> 
> 
> 
> I have seen a few messages from people asking about load() 
> when $SAFE is
> 4, but nobody has ever replied.  Hopefully this time someone 
> can answer.
> :)
> 
> I'm writing a multiplayer game that will allow players to script the
> behavior of their vehicles (like Lego Mindstorms).  They will 
> be able to
> share these scripts.  To prevent malicious players from causing harm,
> then, the scripts must be sandboxed.
> 
> The manual claims this is possible.  However, the code in the manual
> fails, and I'm afraid I must use some other scripting system (!).  I
> have Ruby 1.6.7 installed, on Win98.
> 
> At least, please tell me whether you plan to support load() 
> this way, or
> if it is fixed in CVS.
> 
> 
> E:\code\ft\client> type b.rb
> fileName = "hellomsg.rb"
> f = open(fileName, "w")
> f.print "puts 'Hi'\n"
> f.close
> puts fileName.tainted?
> load(fileName, true)
> Thread.start {
>   $SAFE = 4
>   load(fileName, true)
> }.join
> 
> 
> E:\code\ft\client> ruby b.rb
> false
> Hi
> b.rb:9:in `load': Insecure operation `load' at level 4 (SecurityError)
>         from b.rb:7:in `join'
>         from b.rb:7
> 
> 
> Thanks,
> Teague
>