Hi, there. I''m new to Rails and Ruby in general. I''ve just started looking at Rails and was a bit disturbed by the fact that RubySafeLevel needs to be set to 0 to use mod_ruby (as documented in the .htaccess file and through mod_ruby choking on some GEMS globbing). I''m not a security expert by any means, which is why I try to do what security-minded folks suggest. Coming from a (somewhat rusty) Perl background, I seem to recall using the -t/T (and -w) switch on production webapps as a matter of course. What would need to be tweaked and what functionality might be lost to allow Rails and mod_ruby to run at a safe level of 1 or more? Thanks, -Chris Mayes
David Heinemeier Hansson
2004-Nov-26 22:03 UTC
Re: What''s required for a non-zero RubySafeLevel?
> Coming from a (somewhat rusty) Perl background, I seem to recall using > the -t/T (and -w) switch on production webapps as a matter of course. > What would need to be tweaked and what functionality might be lost to > allow Rails and mod_ruby to run at a safe level of 1 or more?I forget the specifics, but SafeLevel 1 had a lot of constraints on how to deal with evals and stuff that wasn''t being helpful. The biggest dangers for web-apps are likely to be things such as SQL-injection anyway that wouldn''t be caught by this. But it would be interesting to have someone take another look at what SafeLevel 1 could do us of good. -- David Heinemeier Hansson, http://www.basecamphq.com/ -- Web-based Project Management http://www.rubyonrails.org/ -- Web-application framework for Ruby http://macromates.com/ -- TextMate: Code and markup editor (OS X) http://www.loudthinking.com/ -- Broadcasting Brain