fe_misc.rb in openwferu-0.9.6

- old
+ new

@@ -37,10 +37,11 @@
 # "made in Japan"
 #
 # John Mettraux at openwfe.org
 #
 
+require 'openwfe/util/safe'
 require 'openwfe/expressions/flowexpression'
 require 'openwfe/expressions/fe_utils'
 
 
 module OpenWFE
@@ -75,23 +76,34 @@
 
     #
     # <reval/>
     #
     # Evals some Ruby code contained within the process definition 
-    # or within the workitem
+    # or within the workitem.
+    # 
+    # The code is evaluated at a SAFE level of 1.
     #
     class RevalExpression < FlowExpression
 
+        #
+        # See for an explanation on Ruby safety levels :
+        # http://www.rubycentral.com/book/taint.html
+        #
+        SAFETY_LEVEL = 3
+
         def apply (workitem)
 
             escape = lookup_boolean_attribute('escape', workitem, false)
 
             code = OpenWFE::lookup_vf_attribute(self, workitem, 'code')
 
             code = OpenWFE::fetch_text_content(self, workitem, escape) \
                 unless code
 
-            result = eval(code.to_s)
+            code = code.to_s
+
+            #result = eval(code)
+            result = OpenWFE::eval_safely(code, SAFETY_LEVEL, binding())
 
             OpenWFE::set_result(workitem, result) \
                 if result != nil  # 'false' is a valid result
 
             reply_to_parent(workitem)