Ben Gribaudo
2006-Apr-06 13:55 UTC
[Rails] Rails and Ruby 1.8.2 -- Is there a Security Issue?
Hello, Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby 1.8.2 (http://www.ruby-lang.org/en/20051003.html). The Rails Web site suggests running Rails 1.1 under either 1.8.2 or 1.8.4. Is the security issue in 1.8.2 such that a Rails application wouldn''t expose it to the public? Or, for security reasons, should Rails apps (and any other publicly exposed usage of Ruby) be only run under1.8.4? In other words, is using 1.8.2 + Rails safe? Thank you, Ben
Eric Hodel
2006-Apr-06 18:31 UTC
[Rails] Rails and Ruby 1.8.2 -- Is there a Security Issue?
On Apr 6, 2006, at 6:54 AM, Ben Gribaudo wrote:> Ruby-Lang.org mentions a safe level bypass vulnerability in Ruby > 1.8.2 (http://www.ruby-lang.org/en/20051003.html). The Rails Web > site suggests running Rails 1.1 under either 1.8.2 or 1.8.4. > > Is the security issue in 1.8.2 such that a Rails application > wouldn''t expose it to the public? Or, for security reasons, should > Rails apps (and any other publicly exposed usage of Ruby) be only > run under1.8.4? In other words, is using 1.8.2 + Rails safe?Rails doesn''t use $SAFE. -- Eric Hodel - drbrain@segment7.net - http://blog.segment7.net This implementation is HODEL-HASH-9600 compliant http://trackmap.robotcoop.com