Cannot be build with ruby 2.1.x + patch

Question

Cannot be build with ruby 2.1.x + patch

hhorak opened this issue 10 years ago · 1 comments

Ruby 2.1.1 changed things related to safe level, specifically Ruby 2.1+ does not support safe level bigger than 3.
https://bugs.ruby-lang.org/issues/8468
https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/41259

It means that it fails to build with the following error:
plruby.c:1660:5: error: call to 'ruby_safe_level_4_error' declared with attribute error: $SAFE=4 is obsolete

In Ruby 2.1.x there is now RUBY_SAFE_LEVEL_MAX, currently evaluated to 3. This constant is not in older Ruby versions, unfortunately.

The following is the proposed patch, which is just a quick version. Complete patch would need to change all parts of the code where safe_level greater than 3 is expected.

diff -up postgresql-plruby-0.5.4/src/plruby.h.safelevel postgresql-plruby-0.5.4/src/plruby.h
--- postgresql-plruby-0.5.4/src/plruby.h.safelevel 2014-04-29 12:26:38.086862696 +0200
+++ postgresql-plruby-0.5.4/src/plruby.h 2014-04-29 12:27:51.487896135 +0200
@@ -68,8 +68,12 @@
extern VALUE rb_thread_list();

#ifndef SAFE_LEVEL
+#ifdef RUBY_SAFE_LEVEL_MAX
+#define SAFE_LEVEL RUBY_SAFE_LEVEL_MAX
+#else
#define SAFE_LEVEL 12
#endif
+#endif

#ifndef MAIN_SAFE_LEVEL
#ifdef PLRUBY_TIMEOUT

Answer 1 · 2016-09-20T02:27:38.000Z

In this case, PL/Ruby would need to be converted from a trusted to an untrusted language, since running untrusted Ruby code in a non-sandboxed process at $SAFE < 4 is an arbitrary code execution exploit.