randomly did a search for "securely running eval" and came across some questions on SO which eventually led to this
http://ruby-doc.com/docs/ProgrammingRuby/html/taint.html
So I tried it
$SAFE = 2def test_eval(formula) eval(formula)endtest_eval("p 23 + 445")test_eval("system('dir')")And Ruby accepts the print and the math, but when it tries to make a system call, it is denied.
Are there any issues with this approach?
Well, one obvious problem is that most players aren't actually modifying project scripts themselves, and any dev could probably just erase the line themselves. Maybe a better approach would be needed rather than just naively setting the variable in the script.
Seems like something that would be useful by default in RPG Maker, given that eval is commonly used everywhere (including built-in functionality such as damage formulas or script calls), and you can easily compromise (or at least, frustrate) players if you knew a few tricks.
Since RM is quite limited in terms of how it can be used and where it can get data from, there is less to worry about.
Of course, I'd like to assume most devs are honest or something like that.
Personally it's not an issue I would address, but if it helps block out the quick `rm -rf`'ers it might be cool.
http://ruby-doc.com/docs/ProgrammingRuby/html/taint.html
So I tried it
$SAFE = 2def test_eval(formula) eval(formula)endtest_eval("p 23 + 445")test_eval("system('dir')")And Ruby accepts the print and the math, but when it tries to make a system call, it is denied.
Are there any issues with this approach?
Well, one obvious problem is that most players aren't actually modifying project scripts themselves, and any dev could probably just erase the line themselves. Maybe a better approach would be needed rather than just naively setting the variable in the script.
Seems like something that would be useful by default in RPG Maker, given that eval is commonly used everywhere (including built-in functionality such as damage formulas or script calls), and you can easily compromise (or at least, frustrate) players if you knew a few tricks.
Since RM is quite limited in terms of how it can be used and where it can get data from, there is less to worry about.
Of course, I'd like to assume most devs are honest or something like that.
Personally it's not an issue I would address, but if it helps block out the quick `rm -rf`'ers it might be cool.
Last edited by a moderator:
