eval and mod_ruby/eRuby

G

Gavin Kistner

Using mod_ruby, ruby 1.8.1, eRuby and Apache2:

<%
require 'cgi'

puts "$SAFE is #{$SAFE}",'<br>'

cgi = CGI.new
code = cgi['code']
puts "code is '#{code}'",'<br>'
puts "code.tainted? is #{code.tainted?}",'<br>'
code.untaint
puts "code.tainted? is #{code.tainted?}",'<br>'

#puts eval(code)
%>

PRODUCES

$SAFE is 1
code is 'puts "Hello z"'
code.tainted? is false
code.tainted? is false


But if I uncomment the last line the error in my apache log is:

[Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby
/Users/gavinkistner/Sites/rubyeval.rhtml:10:in `eval': Insecure
operation - eval (SecurityError)
from /Users/gavinkistner/Sites/rubyeval.rhtml:10
from (eval):115
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `eval_string_wrap'
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `run'
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:in `handler'


I *know* it's dangerous. This is on a private, protected machine for my
own personal use. How can I allow eval() to run under eRuby/mod_ruby?
 
D

David Heinemeier Hansson

I *know* it's dangerous. This is on a private, protected machine for
my own personal use. How can I allow eval() to run under
eRuby/mod_ruby?
Click to expand...

You need access to the httpd.conf, so it won't fly on a shared server,
but:

<IfModule mod_ruby.c>
# other settings
RubySafeLevel 0
</IfModule>

This removes all the tainted security. So beware...
 
G

Gavin Kistner

David said:
<IfModule mod_ruby.c>
# other settings
RubySafeLevel 0
</IfModule>

This removes all the tainted security. So beware...
Click to expand...

While I appreciate that this will work, I don't understand why it's
necessary.

According to:
http://phrogz.net/ProgrammingRuby/frameset.asp?content=taint.asp#safelevels

$SAFE>=1 : [...] Can't eval tainted strings.

As noted, the string involved isn't tainted. (And even if it had been,
the call to #untaint would have untainted it, since it's not until
$SAFE>=3 that things can't be untainted.)

So...why is mod_ruby borking? Does it somehow impose different rules on
what $SAFE means?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

eruby and/or mod_ruby on apache not working with rubygem 3
eruby: problem defining a new method for Array 4
mod_ruby, require, and $SAFE 5
Problems- eruby and apache 1
Problems with require in eruby 1
Problem with Apache 2 and eRubis/eRuby 1
question about mod_ruby, eruby and ajax 5
DBI error please help 0

Members online

No members online now.
Total: 30 (members: 0, guests: 30)
Robots: 197

Forum statistics

Threads
473,767
Messages
2,569,570
Members
45,045
Latest member
DRCM

Latest Threads

Top