Would one be so kind to read my soliloquy in ticket #6407? http://dev.rubyonrails.org/ticket/6407 The ticket itself and patch are not so relevant by now, but provide context. I''m interested in the response to my question in the last comment, regarding use of config.load_paths and config.autoload_paths. Thanks. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
Michael Koziarski
2006-Oct-24 01:25 UTC
Re: #6407, config.load_paths and config.autoload_paths
> The ticket itself and patch are not so relevant by now, but provide > context. I''m interested in the response to my question in the last > comment, regarding use of config.load_paths and config.autoload_paths.Yeah, seems the docs are out of date. Nicholas would be able to comment for sure. Rails will only autoload things from the autoload_path, this whitelist based approach should help avert any future security incidents. config.load_paths is needed for stuff you explicitly ''require''. -- Cheers Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
On 2006-10-23, at 22:25 , Michael Koziarski wrote:> Yeah, seems the docs are out of date. Nicholas would be able to > comment for sure. > > Rails will only autoload things from the autoload_path, this > whitelist based approach should help avert any future security > incidents.Thanks, I patched the docs at: http://dev.rubyonrails.org/ticket/6478 and closed the previous ticket. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
On 2006-10-23, at 23:25 , Caio Chassot wrote:> > On 2006-10-23, at 22:25 , Michael Koziarski wrote: > >> Yeah, seems the docs are out of date. Nicholas would be able to >> comment for sure. >> >> Rails will only autoload things from the autoload_path, this >> whitelist based approach should help avert any future security >> incidents. > > Thanks, I patched the docs...And yet it seems to me autoload_paths no longer works? I guess I''ll wait for Nicholas to comment. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
Nicholas Seckar
2006-Oct-27 22:12 UTC
Re: #6407, config.load_paths and config.autoload_paths
On 10/23/06, Caio Chassot <lists@v2studio.com> wrote:> > And yet it seems to me autoload_paths no longer works?That''s correct -- it was removed in favor of keeping backwards compatibility and avoiding the repetition of adding to both load_paths and autoload_paths. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
On 2006-10-27, at 19:12 , Nicholas Seckar wrote:> > > On 10/23/06, Caio Chassot <lists@v2studio.com> wrote: And yet it > seems to me autoload_paths no longer works? > > That''s correct -- it was removed in favor of keeping backwards > compatibility and avoiding the repetition of adding to both > load_paths and autoload_paths. >I guess you can still add non-auto-loading paths directly via $: for use with plain require? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---
On 2006-10-27, at 19:12 , Nicholas Seckar wrote:> > > On 10/23/06, Caio Chassot <lists@v2studio.com> wrote: And yet it > seems to me autoload_paths no longer works? > > That''s correct -- it was removed in favor of keeping backwards > compatibility and avoiding the repetition of adding to both > load_paths and autoload_paths. >Also, if autoload_paths is gone, you should revert changeset 5352. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core -~----------~----~----~----~------~----~------~--~---