That's not true of a language like Haskell, where you have to explicitly
turn on cowboy mode before anything unsafe can happen.
ISTM you are equivocating on the meaning of "unsafe" here. In Haskell
"unsafe" means "not checked by the compiler", but you don't need to do
anything unsafe to introduce a vulnerability.
Take the Yesod web framework mentioned earlier. An application handler
in Yesod can perform IO operations, like reading a file at a path given
by the user. That's just one line of code:
content <- liftIO (readFile path)
There are no compiler errors, no compiler warnings, just one Rails-scale
vulnerability.
The recent YAML attack in Rails was possible not because Ruby does not
have static typing, but because Ruby supports creating instances of any
class by name, calling any method by name, etc.
You could remove those "features" from Ruby and you would still have a
dynamically typed langauge, but the YAML attack would not be possible.
Thanks,
Nicholas
--
You received this message because you are subscribed to the Google Groups "Ruby or
Rails Oceania" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rails-oceania?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
