Insecure operation

Discussion in 'Ruby' started by rasfast@gmail.com, Aug 26, 2008.

  1. Guest

    Hello!

    I'm trying to make a CGI script which uses modules from Rails, and
    I've got a "Security Error". I have read posts about taint/untaint,
    but nothing helps. Could you advice something?

    Details:
    FreeBSD 6.3-STABLE
    Rails 2.1.0
    Ruby 1.8.6
    Apache 2.2 + mod_ruby (for CGI) + latest Phusion Passenger + latest
    Ruby Enterprise (for Rails)

    Script:
    require 'cgi'
    require '../config/environment'
    params = CGI::parse( ENV['QUERY_STRING'] ).each{ |key, el| {key =>
    el.first} } #I don't know how to get GET vars in another way
    seller = ContrSeller.find( :first, :conditions => { :id =>
    params['seller_id'], :password => params['pass'] } ) #ContrSeller - is
    an existing model

    Error:
    mod_ruby: error in ruby
    mod_ruby: /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/
    active_support/dependencies.rb:169:in `file?': Insecure operation -
    file? (SecurityError)

    I can put a full error output here, but it's not needed.
    I have tried to untaint() params variable and its values, but no
    success.
    , Aug 26, 2008
    #1
    1. Advertising

  2. Guest

    On 26 Á×Ç, 21:04, wrote:
    > I can put a full error output here, but it's not needed.


    Here is a full error report:
    mod_ruby: error in ruby
    mod_ruby: /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/
    active_support/dependencies.rb:169:in `file?': Insecure operation -
    file? (SecurityError)
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:169:in `search_for_file'
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:167:in `each'
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:167:in `search_for_file'
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:258:in `load_missing_constant'
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:483:in `const_missing'
    mod_ruby: from ./pcapi.rb:6:in `new_session'
    mod_ruby: from /home/gs/data/www/pc.gorodskidok.com/api/api.rbx:43
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:502:in `load'
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:502:in `load'
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:354:in `new_constants_in'
    mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
    lib/active_support/dependencies.rb:502:in `load'
    mod_ruby: from /usr/local/lib/ruby/site_ruby/1.8/apache/ruby-run.rb:
    53:in `handler'


    I have tried
    $SAFE = 0
    But it returns a error that security level cannot be downgraded
    , Aug 27, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. danpres2k
    Replies:
    0
    Views:
    1,457
    danpres2k
    Aug 13, 2003
  2. david ullua
    Replies:
    13
    Views:
    642
  3. raan
    Replies:
    2
    Views:
    436
  4. Buzz Lightyear
    Replies:
    10
    Views:
    1,102
    Alexander Bartolich
    Aug 12, 2009
  5. Yang Zhang

    Insecure operation - chdir

    Yang Zhang, May 28, 2010, in forum: Ruby
    Replies:
    4
    Views:
    122
    Brian Candler
    Jun 1, 2010
Loading...

Share This Page