Forum: Ruby on Rails Rails and Ruby 1.8.2 -- Is there a Security Issue?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
1aeb4e75393d9f482bf68423fd8e478c?d=identicon&s=25 Ben Gribaudo (Guest)
on 2006-04-06 15:57
(Received via mailing list)
Hello,

Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby 1.8.2
(http://www.ruby-lang.org/en/20051003.html). The Rails Web site suggests
running Rails 1.1 under either 1.8.2 or 1.8.4.

Is the security issue in 1.8.2 such that a Rails application wouldn't
expose it to the public? Or, for security reasons, should Rails apps
(and any other publicly exposed usage of Ruby) be only run under1.8.4?
In other words, is using 1.8.2 + Rails safe?

Thank you,
Ben
58479f76374a3ba3c69b9804163f39f4?d=identicon&s=25 Eric Hodel (Guest)
on 2006-04-06 20:32
(Received via mailing list)
On Apr 6, 2006, at 6:54 AM, Ben Gribaudo wrote:

> Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby
> 1.8.2 (http://www.ruby-lang.org/en/20051003.html). The Rails Web
> site suggests running Rails 1.1 under either 1.8.2 or 1.8.4.
>
> Is the security issue in 1.8.2 such that a Rails application
> wouldn't expose it to the public? Or, for security reasons, should
> Rails apps (and any other publicly exposed usage of Ruby) be only
> run under1.8.4? In other words, is using 1.8.2 + Rails safe?

Rails doesn't use $SAFE.

--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com
This topic is locked and can not be replied to.