Ruby用戶指南
3、開始
4、簡單的例子
5、字符串
6、正則表達(dá)式
7、數(shù)組
8、回到那些簡單的例子
9、流程控制
10、迭代器
11、面向?qū)ο笏季S
12、方法
13、類
14、繼承
15、重載方法
16、訪問控制
17、單態(tài)方法
18、模塊
19、過程對象
20、變量
21、全局變量
22、實變量
23、局部變量
24、類常量
25、異常處理:rescue
26、異常處理:ensure
27、存取器
28、對象的初始化
29、雜項
RGSS入門教程
1、什么是RGSS
2、開始:最簡單的腳本
3、數(shù)據(jù)類型:數(shù)字
4、數(shù)據(jù)類型:常量與變量
5、數(shù)據(jù)類型:字符串
6、控制語句:條件分歧語句
7、控制語句:循環(huán)
8、函數(shù)
9、對象與類
10、顯示圖片
11、數(shù)組
12、哈希表(關(guān)聯(lián)數(shù)組)
13、類
14、數(shù)據(jù)庫
15、游戲?qū)ο?/a>
16、精靈的管理
17、窗口的管理
18、活動指令
19、場景類
Programming Ruby的翻譯
Programming Ruby: The Pragmatic Programmer's Guide
前言
序
Roadmap
Ruby.new
類,對象和變量
容器Containers,塊Blocks和迭代Iterators
標(biāo)準(zhǔn)類型
深入方法
表達(dá)式Expressions
異常,捕捉和拋出(已經(jīng)開始,by jellen)
模塊
基本輸入輸出
線程和進(jìn)程
當(dāng)遭遇挫折
Ruby和它的世界
Ruby和Web開發(fā)
Ruby Tk
Ruby 和微軟的 Windows
擴展Ruby
Ruby語言 (by jellen)
類和對象 (by jellen)
Ruby安全
反射Reflection
內(nèi)建類和方法
標(biāo)準(zhǔn)庫
OO設(shè)計
網(wǎng)絡(luò)和Web庫
Windows支持
內(nèi)嵌文檔
交互式Ruby Shell
支持
Ruby參考手冊
Ruby首頁
卷首語
Ruby的啟動
環(huán)境變量
對象
類
執(zhí)行
結(jié)束時的相關(guān)處理
線程
安全模型
正則表達(dá)式
字句構(gòu)造
程序
變量和常數(shù)
字面值
操作符表達(dá)式
控制結(jié)構(gòu)
方法調(diào)用
類/方法的定義
內(nèi)部函數(shù)
內(nèi)部變量
內(nèi)部常數(shù)
內(nèi)部類/模塊/異常類
附加庫
Ruby變更記錄
ruby 1.6 特性
ruby 1.7 特性
Ruby術(shù)語集
Ruby的運行平臺
pack模板字符串
sprintf格式
Marshal格式
Ruby FAQ
Ruby的陷阱
?
This document uses PHP Chinese website manual Release
characters
Locking Ruby in the Safe
Walter Webcoder has a great idea for a portal site: The Web Arithmetic Page. Surrounded by all sorts of cool mathematical links and banner ads that will make him rich is a simple central frame, containing a text field and a button. Users type an arithmetic expression into the field, press the button, and the answer is displayed. All the world's calculators become obsolete overnight, and Walter cashes in and retires to devote his life to his collection of car license plate numbers. Implementing the calculator is easy, thinks Walter. He accesses the contents of the form field using Ruby's CGI library, and uses the
eval method to evaluate the string as an expression.
require?'cgi'
cgi?=?CGI::new("html4")
#?Fetch?the?value?of?the?form?field?"expression"
expr?=?cgi["expression"].to_s
begin
??result?=?eval(expr)
rescue?Exception?=>?detail
??#?handle?bad?expressions
end
#?display?result?back?to?user...
|
system("rm?*")'' into the form and, like his application, Walter's dreams come tumbling down.
Walter learned an important lesson: All external data is dangerous. Don't let it close to interfaces that can modify your system. In this case, the content of the form field was the external data, and the call to eval was the security breach.
Fortunately, Ruby provides support for reducing this risk. All information from the outside world can be marked as tainted. When running in a safe mode, potentially dangerous methods will raise a SecurityError if passed a tainted object.
Safe Levels
The variable$SAFE determines Ruby's level of paranoia. Table 20.1 on page 257 gives details of the checks performed at each safe level.
| $SAFE | Constraints | |||||||
| 0 | No checking of the use of externally supplied (tainted) data is performed. This is Ruby's default mode. | |||||||
| >= 1 | Ruby disallows the use of tainted data by potentially dangerous operations. | |||||||
| >= 2 | Ruby prohibits the loading of program files from globally writable locations. | |||||||
| >= 3 | All newly created objects are considered tainted. | |||||||
| >= 4 | Ruby effectively partitions the running program in two. Nontainted objects may not be modified. Typically, this will be used to create a sandbox: the program sets up an environment using a lower $SAFE level, then resets $SAFE to 4 to prevent subsequent changes to that environment. |
|||||||
 | ||||||||
$SAFE is zero under most circumstances. However, if a Ruby script is run setuid or setgid,[A Unix script may be flagged to be run under a different user or group id than the person running it. This allows the script to have privileges that the user does not have; the script can access resources that the user would otherwise be prohibited from using. These scripts are called setuid or setgid.] its safe level is automatically set to 1. The safe level may also be set using the -T command-line option, and by assigning to $SAFE within the program. It is not possible to lower the value of $SAFE by assignment.
The current value of $SAFE is inherited when new threads are created. However, within each thread, the value of $SAFE may be changed without affecting the value in other threads. This facility may be used to implement secure ``sandboxes,'' areas where external code may run safely without risking the rest of your application or system. Do this by wrapping code that you load from a file in its own, anonymous module. This will protect your program's namespace from any unintended alteration.
f=open(fileName,"w")
f.print?...???#?write?untrusted?program?into?file.
f.close
Thread.start?{
??$SAFE?=?4
??load(fileName,?true)
}
|
$SAFE level of 4, you can load only wrapped files. See
Kernel::load on page 418 for details.
Tainted Objects
Any Ruby object derived from some external source (for example, a string read from a file, or an environment variable) is automatically marked as being tainted. If your program uses a tainted object to derive a new object, then that new object will also be tainted, as shown in the code below. Any object with external data somewhere in its past will be tainted. This tainting process is performed regardless of the current safe level. You can inspect the tainted status of an object usingObject#tainted? .
| |||||||||||