-
Jeremy Evans authored
This list is out of date. At least OpenBSD since 2013 does not allow one user to read the environment variables of a process run by another user. While we could try to keep the list updated, I think it's a bad idea to not use the user/password from the environment, even if another user on the system could read it. If http_proxy exists in the environment, and other users can read it, it doesn't make it more secure for Ruby to ignore it. You could argue that it encourages poor security practices, but net/http should provide mechanism, not policy. Fixes [Bug #18908] https://github.com/ruby/net-http/commit/1e4585153d
Jeremy Evans authoredThis list is out of date. At least OpenBSD since 2013 does not allow one user to read the environment variables of a process run by another user. While we could try to keep the list updated, I think it's a bad idea to not use the user/password from the environment, even if another user on the system could read it. If http_proxy exists in the environment, and other users can read it, it doesn't make it more secure for Ruby to ignore it. You could argue that it encourages poor security practices, but net/http should provide mechanism, not policy. Fixes [Bug #18908] https://github.com/ruby/net-http/commit/1e4585153d
Loading