G
Gavin Kistner
Using mod_ruby, ruby 1.8.1, eRuby and Apache2:
<%
require 'cgi'
puts "$SAFE is #{$SAFE}",'<br>'
cgi = CGI.new
code = cgi['code']
puts "code is '#{code}'",'<br>'
puts "code.tainted? is #{code.tainted?}",'<br>'
code.untaint
puts "code.tainted? is #{code.tainted?}",'<br>'
#puts eval(code)
%>
PRODUCES
$SAFE is 1
code is 'puts "Hello z"'
code.tainted? is false
code.tainted? is false
But if I uncomment the last line the error in my apache log is:
[Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby
/Users/gavinkistner/Sites/rubyeval.rhtml:10:in `eval': Insecure
operation - eval (SecurityError)
from /Users/gavinkistner/Sites/rubyeval.rhtml:10
from (eval):115
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `eval_string_wrap'
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `run'
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:in `handler'
I *know* it's dangerous. This is on a private, protected machine for my
own personal use. How can I allow eval() to run under eRuby/mod_ruby?
<%
require 'cgi'
puts "$SAFE is #{$SAFE}",'<br>'
cgi = CGI.new
code = cgi['code']
puts "code is '#{code}'",'<br>'
puts "code.tainted? is #{code.tainted?}",'<br>'
code.untaint
puts "code.tainted? is #{code.tainted?}",'<br>'
#puts eval(code)
%>
PRODUCES
$SAFE is 1
code is 'puts "Hello z"'
code.tainted? is false
code.tainted? is false
But if I uncomment the last line the error in my apache log is:
[Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby
/Users/gavinkistner/Sites/rubyeval.rhtml:10:in `eval': Insecure
operation - eval (SecurityError)
from /Users/gavinkistner/Sites/rubyeval.rhtml:10
from (eval):115
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `eval_string_wrap'
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `run'
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:in `handler'
I *know* it's dangerous. This is on a private, protected machine for my
own personal use. How can I allow eval() to run under eRuby/mod_ruby?