How do you mark a Ruby binding as trusted?

Question

How do you mark a Ruby binding as trusted?

From this article http://www.stuartellis.eu/articles/erb , citing thread safety levels:

"At this level, the specified binding should be marked as reliable for using ERB."

I searched high and low and did not find a way to "mark" the binding as "trusted."

Will someone please enlighten me?

+3

multithreading ruby

Teflon ted Sep 01 '10 at 15:08

source share

1 answer

molf · Accepted Answer · 2010-09-02T11:50:02+0000

You must bind the binding by calling the method taint.

$SAFE - Ruby, . , , , , HTTP- ..

$SAFE 1, , Ruby require, .

$SAFE 4 . Ruby . , $SAFE proc $SAFE 4. tainted strong > .

ERB , . , :

class TemplateContext
  def name; "Teflon Ted"; end
end

template_binding = TemplateContext.new.send(:binding)
ERB.new("Hi, <%= name %>!", 4).result(template_binding)

#=> SecurityError: Insecure: can't modify trusted binding

Blam!. Ruby, , $SAFE 4. eval ( ERB).

tainted. Ruby, .

class TemplateContext
  def name; "Teflon Ted"; end
end

# Binding must be tainted!
template_binding = TemplateContext.new.send(:binding).taint
ERB.new("Hi, <%= name %>!", 4).result(template_binding)

#=> "Hi, Teflon Ted!"

Ruby $SAFE . Pickaxe.

How do you mark a Ruby binding as trusted?

More articles: