Warn on access/modify of $SAFE, and remove effects of modifying $SAFE

This removes the security features added by $SAFE = 1, and warns for access or modification of $SAFE from Ruby-level, as well as warning when calling all public C functions related to $SAFE. This modifies some internal functions that took a safe level argument to no longer take the argument. rb_require_safe now warns, rb_require_string has been added as a version that takes a VALUE and does not warn. One public C function that still takes a safe level argument and that this doesn't warn for is rb_eval_cmd. We may want to consider adding an alternative method that does not take a safe level argument, and warn for rb_eval_cmd.
author: Jeremy Evans <[email protected]> 2019-09-20 19:06:22 -0700
committer: Jeremy Evans <[email protected]> 2019-11-18 01:00:25 +0200
commit: c5c05460ac20abcbc0ed686eb4acf06da7a39a79 (patch)
tree: 991109a68f3b1cd2e256a936701d3b2badd3ddac /lib/drb
parent: 7b6a8b5b54448235e17ed187d9d73f56893e1b6f (diff)
1 files changed, 10 insertions, 52 deletions
diff --git a/lib/drb/drb.rb b/lib/drb/drb.rb
index 5c7f66ac16..0063e20144 100644
--- a/lib/drb/drb.rb
+++ b/lib/drb/drb.rb
@@ -160,8 +160,6 @@ require_relative 'eq'
 #   # The object that handles requests on the server
 #   FRONT_OBJECT=TimeServer.new
 #
-#   $SAFE = 1   # disable eval() and friends
-#
 #   DRb.start_service(URI, FRONT_OBJECT)
 #   # Wait for the drb server thread to finish before exiting.
 #   DRb.thread.join
@@ -245,8 +243,6 @@ require_relative 'eq'
 #
 #   FRONT_OBJECT=LoggerFactory.new("/tmp/dlog")
 #
-#   $SAFE = 1   # disable eval() and friends
-#
 #   DRb.start_service(URI, FRONT_OBJECT)
 #   DRb.thread.join
 #
@@ -286,10 +282,7 @@ require_relative 'eq'
 #    ro.instance_eval("`rm -rf *`")
 #
 # The dangers posed by instance_eval and friends are such that a
-# DRbServer should generally be run with $SAFE set to at least
-# level 1.  This will disable eval() and related calls on strings
-# passed across the wire.  The sample usage code given above follows
-# this practice.
+# DRbServer should only be used when clients are trusted.
 #
 # A DRbServer can be configured with an access control list to
 # selectively allow or deny access from specified IP addresses.  The
@@ -1362,7 +1355,6 @@ module DRb
     @@argc_limit = 256
     @@load_limit = 0xffffffff
     @@verbose = false
-    @@safe_level = 0
 
     # Set the default value for the :argc_limit option.
     #
@@ -1392,11 +1384,8 @@ module DRb
       @@idconv = idconv
     end
 
-    # Set the default safe level to +level+.  The default safe level is 0
-    #
-    # See #new for more information.
-    def self.default_safe_level(level)
-      @@safe_level = level
+    def self.default_safe_level(level) # :nodoc:
+      # Remove in Ruby 3.0
     end
 
     # Set the default value of the :verbose option.
@@ -1418,7 +1407,6 @@ module DRb
         :tcp_acl => @@acl,
         :load_limit => @@load_limit,
         :argc_limit => @@argc_limit,
-        :safe_level => @@safe_level
       }
       default_config.update(hash)
     end
@@ -1452,10 +1440,6 @@ module DRb
     # :argc_limit :: the maximum number of arguments to a remote
     #                method accepted by the server.  Defaults to
     #                256.
-    # :safe_level :: The safe level of the DRbServer.  The attribute
-    #                sets $SAFE for methods performed in the main_loop.
-    #                Defaults to 0.
-    #
     # The default values of these options can be modified on
     # a class-wide basis by the class methods #default_argc_limit,
     # #default_load_limit, #default_acl, #default_id_conv,
@@ -1487,7 +1471,6 @@ module DRb
 
       @front = front
       @idconv = @config[:idconv]
-      @safe_level = @config[:safe_level]
 
       @grp = ThreadGroup.new
       @thread = run
@@ -1514,11 +1497,10 @@ module DRb
     # The configuration of this DRbServer
     attr_reader :config
 
-    # The safe level for this server.  This is a number corresponding to
-    # $SAFE.
-    #
-    # The default safe_level is 0
-    attr_reader :safe_level
+    def safe_level # :nodoc:
+      # Remove in Ruby 3.0
+      0
+    end
 
     # Set whether to operate in verbose mode.
     #
@@ -1652,7 +1634,6 @@ module DRb
     class InvokeMethod  # :nodoc:
       def initialize(drb_server, client)
         @drb_server = drb_server
-        @safe_level = drb_server.safe_level
         @client = client
       end
 
@@ -1661,33 +1642,10 @@ module DRb
         @succ = false
         setup_message
 
-        if $SAFE < @safe_level
-          info = Thread.current['DRb']
-          if @block
-            @result = Thread.new do
-              Thread.current['DRb'] = info
-              prev_safe_level = $SAFE
-              $SAFE = @safe_level
-              perform_with_block
-            ensure
-              $SAFE = prev_safe_level
-            end.value
-          else
-            @result = Thread.new do
-              Thread.current['DRb'] = info
-              prev_safe_level = $SAFE
-              $SAFE = @safe_level
-              perform_without_block
-            ensure
-              $SAFE = prev_safe_level
-            end.value
-          end
+        if @block
+          @result = perform_with_block
         else
-          if @block
-            @result = perform_with_block
-          else
-            @result = perform_without_block
-          end
+          @result = perform_without_block
         end
         @succ = true
         case @result
author	Jeremy Evans <[email protected]>	2019-09-20 19:06:22 -0700
committer	Jeremy Evans <[email protected]>	2019-11-18 01:00:25 +0200
commit	c5c05460ac20abcbc0ed686eb4acf06da7a39a79 (patch)
tree	991109a68f3b1cd2e256a936701d3b2badd3ddac /lib/drb
parent	7b6a8b5b54448235e17ed187d9d73f56893e1b6f (diff)