$SAFE = 4 的 ruby 可能存在哪些漏洞? [英] What vulnerabilities are possible in ruby with $SAFE = 4?
问题描述
$SAFE = 4 的 ruby 中可能存在哪些漏洞?我马上就知道 XSRF 是可能的,因为攻击与受污染的变量"无关,而是与 http 请求的来源有关.我知道不会使用像 md5() 这样的弱加密算法.你知道其他人吗?非常感谢代码示例!
$SAFE=4 可能存在几乎无限的漏洞.没有什么可以保护您免受您可以通过代码执行的所有任意坏事的影响.例如,如果你不小心,无论 $SAFE 模式如何,你都可以对数据库中的敏感数据做各种愚蠢的事情——对于 Web 应用程序,这实际上应该比 $SAFE 帮助你的事情更重要和.$SAFE 本质上可以保护您免受一件您可能会做错的常见事情的影响,同时让所有其他事情保持开放.查看去年的优胜者Underhanded C 竞赛:><块引用>
这也是一个很好的例子,说明您无法防止有意编写错误的内容.代码将经得起任何缓冲区溢出检查、代码样式检查或 lint 程序.代码是正确正确的C代码;该错误并未在代码中引入,而是在更早的时候,在我构思算法时出现在我的脑海中.
What vulnerabilities are possible in ruby with $SAFE = 4? Right off the bat I know that XSRF is possible because the attack has nothing to do with "tainted variables" but rather where http request originates from. I know that using weak cryptographic algorithms like md5() won't be picked up. Do you know of any others? Code examples are much appreciated!
There's an almost limitless array of vulnerabilities possible with $SAFE=4. Nothing can protect you from all the arbitrary bad things you can do it code. For example, you can do all sorts of dumb things with sensitive data in a database if you're not careful no matter what the $SAFE mode — for Web apps, this should actually be a much bigger concern than the things $SAFE helps you with. $SAFE essentially protects you from one common thing you might do wrong while leaving all the others open. See last year's winner of the Underhanded C Contest:
It is also a great example of the principle that you can’t protect against intending to write the wrong thing. The code will stand up to any buffer overflow check, code style check, or lint program. The code is correct and proper C code; the bug was not introduced in the code, but much earlier, in my head when I conceived the algorithm.
这篇关于$SAFE = 4 的 ruby 可能存在哪些漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
