Programming Tutorials

(追記) (追記ここまで)

Security in dRuby

By: Jeya in Ruby Tutorials on 2009年03月03日 [フレーム]

As with all network services, security needs to be considered when using dRuby. By allowing external access to a Ruby object, you are not only allowing outside clients to call the methods you have defined for that object, but by default to execute arbitrary Ruby code on your server. Consider the following:

  # !!! UNSAFE CODE !!!
  ro = DRbObject::new_with_uri("druby://your.server.com:8989")
  class << ro
   undef :instance_eval # force call to be passed to
remote object
  end
  ro.instance_eval("`rm -rf *`")

The dangers posed by instance_eval and friends are such that a DRbServer should generally be run with $SAFE set to at least level 1. This will disable eval() and related calls on strings passed across the wire. The sample usage code given above follows this practice.

A DRbServer can be configured with an access control list to selectively allow or deny access from specified IP addresses. The main druby distribution provides the ACL class for this purpose. In general, this mechanism should only be used alongside, rather than as a replacement for, a good firewall.




(追記) (追記ここまで)


Add Comment

JavaScript must be enabled for certain features to work
* Required information
1000

Comments

No comments yet. Be the first!

Most Viewed Articles (in Ruby )

Latest Articles (in Ruby)

(追記) (追記ここまで)
(追記) (追記ここまで)

AltStyle によって変換されたページ (->オリジナル) /