On  8 Jan, Clemens Wyss wrote:
> Hi,
> I have seen Robert's post from Nov 13th and I would like to re-start this
> discussion. "Walter Webcoder"(see 'Programming Ruby') did a first try and
> Dave and Andy provided a (possible) solution to his work. My idea is to
> provide an interactive Ruby interpreter (Ruby-cgi-script) on my upcoming
> RubyCHannel-site(www.ruby.ch, not yet active). The interpreter should not
> only allow calculating numbers, but show the "full power" of Ruby. I
> therefore started working (i.e. one hour so far) on my own Sandbox. Here
> you go: 

(...)

> As you can see 'system' and 'require' are not accessible, all the "rest"
> is. Also, tainted level is set to 2 (by default). The print method is
> only overloaded in order to fetch the "print" statements in the
> eval-uated code. Now I am pretty sure that I missed some "security
> holes". Could you therefore please comment on this proposal. 

  sandbox.execute("p %x(ls -l /)")
  sandbox.execute("exec 'ls -l /'")
  sandbox.execute("Thread.new { sleep 60000 } while 1")
  sandbox.execute("def endless; t = Object.clone; endless end; endless")

To mention only four of the ones I could imagine right now without great
investigation ...

But if you found all holes, it would be nice to post (add to RAA) your
sandbox class then. :-)

> Regards
> Clemens (the other ;-))

Regards too,
\cle (the first Clemens of clr; meaning the other other ;-)