DRb & instance_eval
There is a nice, little, documented security hole in DRb. Hopefully this’ll help us all remember the importance of
$SAFE in our lives.
The DRb manual illustrates with the following code:
ro = DRbObject::new_with_uri("druby://your.server.com:8989") class << ro undef :instance_eval # force call to be passed to remote object end ro.instance_eval("`rm -rf *`")
So this nugget exposes the unflavoured DRb service to injection of any arbitrary code. Many of you would probably question the legitimacy of leaving a hole like this open. But see: the answer is to give
$SAFE = 1, which can’t be a default, can it?
So, if you’re out tinkering with DRb: untaint wisely.