M
Minero Aoki
Hi all,
This is a summary of ruby-dev ML in these days.
[ruby-list:38619] dl and Win32 API call
[ruby-dev:22012] Re: [ruby-list:38619] dl and Win32 API call
arton reported dl.so problem on win32 systems.
On win32 systems, API callee pops arguments from machine stack.
But dl.so (API caller) pops arguments on all platforms, it breaks
the stack.
Tietew posted a patch in [ruby-dev:21991], and Takaaki Tateishi,
dl.so maintainer, incorporated this patch.
[ruby-dev:22013] HTTP_PROXY
TANAKA Akira introduced following web page:
http://ftp.ics.uci.edu/pub/websoft/libwww-perl/archive/2001h1/0072.html
This page describes the security hole about HTTP_PROXY. HTTP server
overwrite CGI programs' HTTP_* environment variables by request
headers, HTTP_PROXY is overwritten by Proxy: HTTP header.
So HTTP clients can overwrite HTTP_PROXY environment variable.
If CGI programs use HTTP library and the library uses HTTP_PROXY,
it causes security problem.
Akira pointed out some standard libraries uses HTTP_PROXY without
checking. Related libraries are:
* open-uri.rb (maintainer: TANAKA Akira)
* SOAP4R (maintainer: NAKAMURA Hiroshi aka NaHi)
* (net/http) (maintainer: Minero Aoki)
Akira (open-uri maintainer) decided to check if the library is
used in CGI programs, by referring to REQUEST_METHOD environment
variable.
NaHi (SOAP4R maintainer) decided to see soap_use_proxy environment
variable. If ENV['soap_use_proxy'] is set, SOAP4R uses HTTP_PROXY,
no_proxy, and other environment variables.
At the end, Minero Aoki (net/http maintainer) decided to keep current
behavior... never rely on HTTP_PROXY environment variable. If you
want to use proxy, set it explicitly. open-uri is preferable for
"handy" use.
See each CVS HEAD source code for details.
[ruby-dev:22019] $stdout/$stderr must respond to IO methods?
Currently You can set any object to $stdout/$stderr if only the
object has #write method. e.g.
class StdoutLogging
def write(str)
File.open('/tmp/log', 'a') {|f| f.print str }
end
end
$stdout = StdoutLogging.new
Tietew pointed out that this protocol does not assure that
following code works:
$stderr.print 'warning: does not use this method'
He suggested to make new module such as IO::Writable, which defines
I/O methods using #write method.
[ruby-dev:22057] drb/drb.rb document
Minero Aoki suggested that "require 'drb'" is better than
"require 'drb/drb'". SEKI Masatoshi, drb maintainer, replied
that he choose "require 'drb/drb'".
[ruby-dev:22067] exit value as boolean
Nobu.nakada proposed new semantics of Kernel#exit.
"exit true" means "exit(EXIT_SUCCESS)" in C,
"exit false" means "exit(EXIT_FAILURE)".
Matz agreed with him and incorporated a patch.
[ruby-dev:22071] Dir.glob and shift_jis
H.Yamamoto posted a patch to allow Dir.glob searching files which
name includes native language characters. The latest patch is
attached to [ruby-dev:22104].
-- Minero Aoki
This is a summary of ruby-dev ML in these days.
[ruby-list:38619] dl and Win32 API call
[ruby-dev:22012] Re: [ruby-list:38619] dl and Win32 API call
arton reported dl.so problem on win32 systems.
On win32 systems, API callee pops arguments from machine stack.
But dl.so (API caller) pops arguments on all platforms, it breaks
the stack.
Tietew posted a patch in [ruby-dev:21991], and Takaaki Tateishi,
dl.so maintainer, incorporated this patch.
[ruby-dev:22013] HTTP_PROXY
TANAKA Akira introduced following web page:
http://ftp.ics.uci.edu/pub/websoft/libwww-perl/archive/2001h1/0072.html
This page describes the security hole about HTTP_PROXY. HTTP server
overwrite CGI programs' HTTP_* environment variables by request
headers, HTTP_PROXY is overwritten by Proxy: HTTP header.
So HTTP clients can overwrite HTTP_PROXY environment variable.
If CGI programs use HTTP library and the library uses HTTP_PROXY,
it causes security problem.
Akira pointed out some standard libraries uses HTTP_PROXY without
checking. Related libraries are:
* open-uri.rb (maintainer: TANAKA Akira)
* SOAP4R (maintainer: NAKAMURA Hiroshi aka NaHi)
* (net/http) (maintainer: Minero Aoki)
Akira (open-uri maintainer) decided to check if the library is
used in CGI programs, by referring to REQUEST_METHOD environment
variable.
NaHi (SOAP4R maintainer) decided to see soap_use_proxy environment
variable. If ENV['soap_use_proxy'] is set, SOAP4R uses HTTP_PROXY,
no_proxy, and other environment variables.
At the end, Minero Aoki (net/http maintainer) decided to keep current
behavior... never rely on HTTP_PROXY environment variable. If you
want to use proxy, set it explicitly. open-uri is preferable for
"handy" use.
See each CVS HEAD source code for details.
[ruby-dev:22019] $stdout/$stderr must respond to IO methods?
Currently You can set any object to $stdout/$stderr if only the
object has #write method. e.g.
class StdoutLogging
def write(str)
File.open('/tmp/log', 'a') {|f| f.print str }
end
end
$stdout = StdoutLogging.new
Tietew pointed out that this protocol does not assure that
following code works:
$stderr.print 'warning: does not use this method'
He suggested to make new module such as IO::Writable, which defines
I/O methods using #write method.
[ruby-dev:22057] drb/drb.rb document
Minero Aoki suggested that "require 'drb'" is better than
"require 'drb/drb'". SEKI Masatoshi, drb maintainer, replied
that he choose "require 'drb/drb'".
[ruby-dev:22067] exit value as boolean
Nobu.nakada proposed new semantics of Kernel#exit.
"exit true" means "exit(EXIT_SUCCESS)" in C,
"exit false" means "exit(EXIT_FAILURE)".
Matz agreed with him and incorporated a patch.
[ruby-dev:22071] Dir.glob and shift_jis
H.Yamamoto posted a patch to allow Dir.glob searching files which
name includes native language characters. The latest patch is
attached to [ruby-dev:22104].
-- Minero Aoki