Hi,
This is ruby-dev summary 27761-28026.
lity information (webrick, xmlrpc)
Matz reported two vulnerabilities about webrick and xmlrpc (These
problems allow DoS attack) on ruby 1.8.2 or earlier. Problems were
fixed on ruby 1.8.3, so it is recommended for all to use ruby 1.8.3 or
later. There are also patches for ruby 1.8.2.
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-webrick-dos-1.patch
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.2-xmlrpc-dos-1.patch
Details of these problems will be posted independently.
[ruby-dev:27794] sample/svr.rb DoS vulnerability
Akira T. reported DoS attack vulnerability of sample/svr.rb. He
also reported following sequence to reproduce DoS attack.
For more detail, see [ruby-dev:27794].
[ruby-dev:27795] DRb DoS vulnerability
Akira T. also pointed out DoS attack vulnerability on DRb.
For more detail, see [ruby-dev:27795].
BTW, above 4 vulnerabilities are all reported by Akira T..
[ruby-dev:27871] Numeric and Complex
Matz requested for comments about following problem:
Ruby’s Numeric class includes Comparable module. This is based on
assumption that values are linear. However Complex value is not linear.
Current implementation of Complex#<=> is based on Complex#abs, but
Complex value is used as Range bound.
To solve this problem, Matz proposed following solutions:
- Make new super class of Integer, Float, Rational, etc.
New class includes Comparable. - All of classes (Integer, Float, Rational) includes Comparable.
- Change Complex super class other than Numeric.
- Keeping things as they are.
After active discussion, Matz decided follows:
- undef Complex#<=>
- add a new method Numeric#scalar?
[ruby-dev:27890] rb_funcall2() for protected method
Nobuyoshi N. proposed that rb_funcall2() should invoke protected
method (with a patch to change this behavior).
Matz accepted this change. And this change enable us to run an example
of [ruby-talk:169057].
[ruby-dev:27904] ruby 1.8.4 preview2
ruby 1.8.4 preview2 was released.
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.4-preview2.tar.gz
MD5: e5a48054fb34f09da17e8e8f04b8c706
This is also announced at [ruby-core:06798] ruby 1.8.4 preview2
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/06798
If you have time, please check this preview2.
[ruby-dev:27972] A Sample of Ruby/Tk
Hidetoshi NAGAI proposed to commit a sample of Ruby/Tk which posted at
[ruby-talk:169227] because this sample seems useful.
Matz accepted to commit it in ruby 1.8.4.
[ruby-dev:27984] modified restarg with zsuper
Koichi Sasada proposed that following example should not raise
ArgumentError because “super” should work as “super(a, *b)” in this
case.
class C
def m(a, b)
end
end
class D < C
def m(a, *b)
b[0] ||= 2 # if no rest arguments are given, add one
super
end
end
D.new.m(1, 2) # OK, no problem
D.new.m(1)
# wrong number of arguments (1 for 2) (ArgumentError)
# in current interpreter (1.9.0)
Matz agreed this proposal.
Current YARV performs this behavior 
[ruby-dev:27991] GC.always
Akira T. proposed “GC.always” method. This method forces ruby
interpreter to invoke GC whenever it is invokable. It means that GC
will be invoked at every object allocations, every memory allocations.
This feature helps interpreter debugging around GC bugs.
Matz refused “GC.always” method name (didn’t refused this feature, only
method name). Another proposed method name is “GC.debug”.
This issue is still open.
[ruby-dev:27996] How about “Time Literal”?
take_tk proposed that “Time Literal” represented by ISO 8601. For
example, 19850412T101530 means Time object as “12 Apr 1985 10:15:30”.
This issue is still open.
ruby-dev summary index: ruby-dev summary