On Apr 6, 2006, at 6:54 AM, Ben Gribaudo wrote:
Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby
1.8.2 (http://www.ruby-lang.org/en/20051003.html). The Rails Web
site suggests running Rails 1.1 under either 1.8.2 or 1.8.4.
Is the security issue in 1.8.2 such that a Rails application
wouldn’t expose it to the public? Or, for security reasons, should
Rails apps (and any other publicly exposed usage of Ruby) be only
run under1.8.4? In other words, is using 1.8.2 + Rails safe?
Rails doesn’t use $SAFE.
Eric H. - [email protected] - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant