Matz shows off the seven years of Christmas releases he’s given us all. My first Ruby was 1.6.4. What about yours?

• ruby-1.0-971225 (1997-12-25)
• ruby-1.1b3 (1997-12-25)
• ruby-1.2 (1998-12-25)
• ruby-1.3 (1998-12-24)
• ruby-1.4.3 (1999-12-08)
• ruby-1.6.2 (2000-12-25)
• ruby-1.6.6 (2001-12-26)
• ruby-1.6.8 (2002-12-24)
• ruby-1.8.1 (2003-12-25)
• ruby-1.8.2 (2004-12-25)

There is a nice, little, documented security hole in DRb. Hopefully this’ll help us all remember the importance of $SAFE in our lives.

The DRb manual illustrates with the following code:

 ro = DRbObject::new_with_uri("druby://your.server.com:8989")
 class << ro
   undef :instance_eval  # force call to be passed to remote object
 end
 ro.instance_eval("`rm -rf *`")

So this nugget exposes the unflavoured DRb service to injection of any arbitrary code. Many of you would probably question the legitimacy of leaving a hole like this open. But see: the answer is to give $SAFE = 1, which can’t be a default, can it?

So, if you’re out tinkering with DRb: untaint wisely.

Buncha great stuff comin out at Technoblog. Add a search box to your Rails site, simply by piping to Google’s SOAP endpoint.

 def search
   require 'soap/wsdlDriver'

   $KCODE = "UTF8" # in order to parse some of the odd characters
   key = 'yourGoogleKey'
   yoursite = 'yoursite.com'

   driver = SOAP::WSDLDriverFactory.new
    ("http://api.google.com/GoogleSearch.wsdl").createDriver
   @results = driver.doGoogleSearch(key,
    @params['q']+" site:#{yoursite}", 0, 10, true, " ", false, " ", " ", " ")
 end

Get your Google key here. (via del.icio.us)