Forum: Ruby Bug in ERb when using $SAFE>=4

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
3ca7a660c046bf7956b39e65b3301f3f?d=identicon&s=25 Andy Morrow (Guest)
on 2007-04-03 19:51
(Received via mailing list)
I've been working with ERB and trying to run it in a secure
environment. (My goal is to allow end users to render templates in my
Rails app.) There is what appears to me to be a bug in ERB when you
try to run an object that was created with $SAFE >= 4. Here's the
relevant code:
(from erb.rb in class ERB starting on line #735)
   def result(b=TOPLEVEL_BINDING)
     if @safe_level
       th = Thread.start {
  $SAFE = @safe_level
  eval(@src, b, (@filename || '(erb)'), 1) #problem
       return th.value
       return eval(@src, b, (@filename || '(erb)'), 1)
The problem lies in passing TOPLEVEL_BINDING to eval. Once $SAFE>=4
is set, a new binding is created and you're no longer allowed to
modify the original binding. There's no option to pass eval the
binding created after $SAFE is set inside the new thread. My modified
version of the code reads like this:
(from erb.rb in class ERB, line # 739)
  eval(@src, (@safe_level==4? binding : b), (@filename || '(erb)'), 1)
#no problem any more
I've tested this a million times, and you can't pass ERB a valid
binding unless you set $SAFE>=4 in your main app (and I can't do
that.) Am I just crazy? Did I miss something?
Andy Morrow
This topic is locked and can not be replied to.