6 files changed, 25 insertions, 106 deletions

diff --git a/lib/debug.rb b/lib/debug.rb
index 34d7d27406..ce8b7d7fb9 100644
--- a/lib/debug.rb
+++ b/lib/debug.rb
@@ -5,11 +5,6 @@
 
 require 'continuation'
 
-if $SAFE > 0
-  STDERR.print "-r debug.rb is not available in safe mode\n"
-  exit 1
-end
-
 require 'tracer'
 require 'pp'
 
diff --git a/lib/drb/drb.rb b/lib/drb/drb.rb
index 5c7f66ac16..0063e20144 100644
--- a/lib/drb/drb.rb
+++ b/lib/drb/drb.rb
@@ -160,8 +160,6 @@ require_relative 'eq'
 #   # The object that handles requests on the server
 #   FRONT_OBJECT=TimeServer.new
 #
-#   $SAFE = 1   # disable eval() and friends
-#
 #   DRb.start_service(URI, FRONT_OBJECT)
 #   # Wait for the drb server thread to finish before exiting.
 #   DRb.thread.join
@@ -245,8 +243,6 @@ require_relative 'eq'
 #
 #   FRONT_OBJECT=LoggerFactory.new("/tmp/dlog")
 #
-#   $SAFE = 1   # disable eval() and friends
-#
 #   DRb.start_service(URI, FRONT_OBJECT)
 #   DRb.thread.join
 #
@@ -286,10 +282,7 @@ require_relative 'eq'
 #    ro.instance_eval("`rm -rf *`")
 #
 # The dangers posed by instance_eval and friends are such that a
-# DRbServer should generally be run with $SAFE set to at least
-# level 1.  This will disable eval() and related calls on strings
-# passed across the wire.  The sample usage code given above follows
-# this practice.
+# DRbServer should only be used when clients are trusted.
 #
 # A DRbServer can be configured with an access control list to
 # selectively allow or deny access from specified IP addresses.  The
@@ -1362,7 +1355,6 @@ module DRb
     @@argc_limit = 256
     @@load_limit = 0xffffffff
     @@verbose = false
-    @@safe_level = 0
 
     # Set the default value for the :argc_limit option.
     #
@@ -1392,11 +1384,8 @@ module DRb
       @@idconv = idconv
     end
 
-    # Set the default safe level to +level+.  The default safe level is 0
-    #
-    # See #new for more information.
-    def self.default_safe_level(level)
-      @@safe_level = level
+    def self.default_safe_level(level) # :nodoc:
+      # Remove in Ruby 3.0
     end
 
     # Set the default value of the :verbose option.
@@ -1418,7 +1407,6 @@ module DRb
         :tcp_acl => @@acl,
         :load_limit => @@load_limit,
         :argc_limit => @@argc_limit,
-        :safe_level => @@safe_level
       }
       default_config.update(hash)
     end
@@ -1452,10 +1440,6 @@ module DRb
     # :argc_limit :: the maximum number of arguments to a remote
     #                method accepted by the server.  Defaults to
     #                256.
-    # :safe_level :: The safe level of the DRbServer.  The attribute
-    #                sets $SAFE for methods performed in the main_loop.
-    #                Defaults to 0.
-    #
     # The default values of these options can be modified on
     # a class-wide basis by the class methods #default_argc_limit,
     # #default_load_limit, #default_acl, #default_id_conv,
@@ -1487,7 +1471,6 @@ module DRb
 
       @front = front
       @idconv = @config[:idconv]
-      @safe_level = @config[:safe_level]
 
       @grp = ThreadGroup.new
       @thread = run
@@ -1514,11 +1497,10 @@ module DRb
     # The configuration of this DRbServer
     attr_reader :config
 
-    # The safe level for this server.  This is a number corresponding to
-    # $SAFE.
-    #
-    # The default safe_level is 0
-    attr_reader :safe_level
+    def safe_level # :nodoc:
+      # Remove in Ruby 3.0
+      0
+    end
 
     # Set whether to operate in verbose mode.
     #
@@ -1652,7 +1634,6 @@ module DRb
     class InvokeMethod  # :nodoc:
       def initialize(drb_server, client)
         @drb_server = drb_server
-        @safe_level = drb_server.safe_level
         @client = client
       end
 
@@ -1661,33 +1642,10 @@ module DRb
         @succ = false
         setup_message
 
-        if $SAFE < @safe_level
-          info = Thread.current['DRb']
-          if @block
-            @result = Thread.new do
-              Thread.current['DRb'] = info
-              prev_safe_level = $SAFE
-              $SAFE = @safe_level
-              perform_with_block
-            ensure
-              $SAFE = prev_safe_level
-            end.value
-          else
-            @result = Thread.new do
-              Thread.current['DRb'] = info
-              prev_safe_level = $SAFE
-              $SAFE = @safe_level
-              perform_without_block
-            ensure
-              $SAFE = prev_safe_level
-            end.value
-          end
+        if @block
+          @result = perform_with_block
         else
-          if @block
-            @result = perform_with_block
-          else
-            @result = perform_without_block
-          end
+          @result = perform_without_block
         end
         @succ = true
         case @result
diff --git a/lib/erb.rb b/lib/erb.rb
index 3f26c2ff30..d2ea64ab60 100644
--- a/lib/erb.rb
+++ b/lib/erb.rb
@@ -57,7 +57,6 @@ require "cgi/util"
 #
 # There are several settings you can change when you use ERB:
 # * the nature of the tags that are recognized;
-# * the value of <tt>$SAFE</tt> under which the template is run;
 # * the binding used to resolve local variables in the template.
 #
 # See the ERB.new and ERB#result methods for more detail.
@@ -747,9 +746,7 @@ class ERB
   # Constructs a new ERB object with the template specified in _str_.
   #
   # An ERB object works by building a chunk of Ruby code that will output
-  # the completed template when run. If _safe_level_ is set to a non-nil value,
-  # ERB code will be run in a separate thread with <b>$SAFE</b> set to the
-  # provided level.
+  # the completed template when run.
   #
   # If _trim_mode_ is passed a String containing one or more of the following
   # modifiers, ERB will adjust its code generation as listed:
@@ -813,8 +810,6 @@ class ERB
     # Complex initializer for $SAFE deprecation at [Feature #14256]. Use keyword arguments to pass trim_mode or eoutvar.
     if safe_level != NOT_GIVEN
       warn 'Passing safe_level with the 2nd argument of ERB.new is deprecated. Do not use it, and specify other arguments as keyword arguments.', uplevel: 1 if $VERBOSE || !ZERO_SAFE_LEVELS.include?(safe_level)
-    else
-      safe_level = nil
     end
     if legacy_trim_mode != NOT_GIVEN
       warn 'Passing trim_mode with the 3rd argument of ERB.new is deprecated. Use keyword argument like ERB.new(str, trim_mode: ...) instead.', uplevel: 1 if $VERBOSE
@@ -825,7 +820,6 @@ class ERB
       eoutvar = legacy_eoutvar
     end
 
-    @safe_level = safe_level
     compiler = make_compiler(trim_mode)
     set_eoutvar(compiler, eoutvar)
     @src, @encoding, @frozen_string = *compiler.compile(str)
@@ -908,17 +902,7 @@ class ERB
     unless @_init.equal?(self.class.singleton_class)
       raise ArgumentError, "not initialized"
     end
-    if @safe_level
-      proc do
-        prev_safe_level = $SAFE
-        $SAFE = @safe_level
-        eval(@src, b, (@filename || '(erb)'), @lineno)
-      ensure
-        $SAFE = prev_safe_level
-      end.call
-    else
-      eval(@src, b, (@filename || '(erb)'), @lineno)
-    end
+    eval(@src, b, (@filename || '(erb)'), @lineno)
   end
 
   # Render a template on a new toplevel binding with local variables specified
diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb
index 8e10dc24b3..460ad08233 100644
--- a/lib/net/smtp.rb
+++ b/lib/net/smtp.rb
@@ -831,9 +831,6 @@ module Net
     end
 
     def mailfrom(from_addr)
-      if $SAFE > 0
-        raise SecurityError, 'tainted from_addr' if from_addr.tainted?
-      end
       getok("MAIL FROM:<#{from_addr}>")
     end
 
@@ -859,9 +856,6 @@ module Net
     end
 
     def rcptto(to_addr)
-      if $SAFE > 0
-        raise SecurityError, 'tainted to_addr' if to_addr.tainted?
-      end
       getok("RCPT TO:<#{to_addr}>")
     end
 
diff --git a/lib/tempfile.rb b/lib/tempfile.rb
index f7caf65f0c..efb0b1bcd6 100644
--- a/lib/tempfile.rb
+++ b/lib/tempfile.rb
@@ -98,10 +98,6 @@ class Tempfile < DelegateClass(File)
   #
   # The temporary file will be placed in the directory as specified
   # by the +tmpdir+ parameter. By default, this is +Dir.tmpdir+.
-  # When $SAFE > 0 and the given +tmpdir+ is tainted, it uses
-  # '/tmp' as the temporary directory. Please note that ENV values
-  # are tainted by default, and +Dir.tmpdir+'s return value might
-  # come from environment variables (e.g. <tt>$TMPDIR</tt>).
   #
   #   file = Tempfile.new('hello', '/home/aisaka')
   #   file.path  # => something like: "/home/aisaka/hello2843-8392-92849382--0"
diff --git a/lib/tmpdir.rb b/lib/tmpdir.rb
index d7a8f799fe..ea1d380ef1 100644
--- a/lib/tmpdir.rb
+++ b/lib/tmpdir.rb
@@ -19,22 +19,18 @@ class Dir
   # Returns the operating system's temporary file path.
 
   def self.tmpdir
-    if $SAFE > 0
-      @@systmpdir.dup
-    else
-      tmp = nil
-      [ENV['TMPDIR'], ENV['TMP'], ENV['TEMP'], @@systmpdir, '/tmp', '.'].each do |dir|
-        next if !dir
-        dir = File.expand_path(dir)
-        if stat = File.stat(dir) and stat.directory? and stat.writable? and
-            (!stat.world_writable? or stat.sticky?)
-          tmp = dir
-          break
-        end rescue nil
-      end
-      raise ArgumentError, "could not find a temporary directory" unless tmp
-      tmp
+    tmp = nil
+    [ENV['TMPDIR'], ENV['TMP'], ENV['TEMP'], @@systmpdir, '/tmp', '.'].each do |dir|
+      next if !dir
+      dir = File.expand_path(dir)
+      if stat = File.stat(dir) and stat.directory? and stat.writable? and
+          (!stat.world_writable? or stat.sticky?)
+        tmp = dir
+        break
+      end rescue nil
     end
+    raise ArgumentError, "could not find a temporary directory" unless tmp
+    tmp
   end
 
   # Dir.mktmpdir creates a temporary directory.
@@ -115,12 +111,8 @@ class Dir
     UNUSABLE_CHARS = [File::SEPARATOR, File::ALT_SEPARATOR, File::PATH_SEPARATOR, ":"].uniq.join("").freeze
 
     def create(basename, tmpdir=nil, max_try: nil, **opts)
-      if $SAFE > 0 and tmpdir.tainted?
-        tmpdir = '/tmp'
-      else
-        origdir = tmpdir
-        tmpdir ||= tmpdir()
-      end
+      origdir = tmpdir
+      tmpdir ||= tmpdir()
       n = nil
       prefix, suffix = basename
       prefix = (String.try_convert(prefix) or