something straange with cgi

[Une Bévue]

i have a cgi reading a post cgi['search']

the value is the name of file which might exists under "/path/to"

because i'm a newbie with cgi, i want to print only if the file exist or
not :

file="/Users/yt/man/#{cgi['search']}.html"
print "FileTest.exist?('#{file}') = " # here i get the right file name
print FileTest.exist?(file) # here i get Internal server error why ???

this is strange to me because if i print :

print FileTest.exist?("/Users/yt/man/eruby.html") #without variable

i get true, without internal server error...

even if i define :
def file_exist(file)
Dir.glob("/Users/yt/man/*.html").each do | _file |
return true if _file===file
end
return false
end

and print :

print file_exist(file) # NO Internal Server Error

any light ?

in the mean time i had a look upon the server error log, giving :
[Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
[Wed Apr 30 19:03:19 2008] [error] mod_ruby:
/Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure operation
- exist? (SecurityError)

the cgi isn't accessible externaly...

 

[ts]

print FileTest.exist?("/Users/yt/man/eruby.html") #without variable

Try with

puts file.tainted?
puts "/Users/yt/man/eruby.html".tainted?

/Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure operation
- exist? (SecurityError)

man-receive.rbx run with '$SAFE = 1' and it's a security error to use
FileTest#exist? with a tainted object at this level

vgs% ruby -e 'name ="./ruby".taint; p FileTest.exist?(name)'
true
vgs%

vgs% ruby -e '$SAFE = 1; name ="./ruby".taint; p FileTest.exist?(name)'
-e:1:in `exist?': Insecure operation - exist? (SecurityError)
from -e:1
vgs%


Guy Decoux

 

[Michael Granger]

i have a cgi reading a post cgi['search']

the value is the name of file which might exists under "/path/to"

because i'm a newbie with cgi, i want to print only if the file =20
exist or
not :

file=3D"/Users/yt/man/#{cgi['search']}.html"
print "FileTest.exist?('#{file}') =3D " # here i get the right file =20=

name
print FileTest.exist?(file) # here i get Internal server error =20
why ???

this is strange to me because if i print :

print FileTest.exist?("/Users/yt/man/eruby.html") #without variable

i get true, without internal server error...

even if i define :
def file_exist(file)
Dir.glob("/Users/yt/man/*.html").each do | _file |
return true if _file=3D=3D=3Dfile
end
return false
end

and print :

print file_exist(file) # NO Internal Server Error

any light ?

in the mean time i had a look upon the server error log, giving :
[Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
[Wed Apr 30 19:03:19 2008] [error] mod_ruby:
/Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure =20
operation
- exist? (SecurityError)

You're running your CGI under mod_ruby, which runs under $SAFE =3D 1:

http://wiki.modruby.net/en/?FAQ#SecurityError+is+raised.

This is done to protect you from using unsafe input from untrusted =20
sources in ways which might be dangerous, such as the one you =20
demonstrate above. Using an input parameter that a remote user can =20
modify in arbitrary ways in an operation that accesses the filesystem =20=

is usually a bad idea. For more see the WWW Security FAQ:

http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q16

The examples are in Perl, but most of the same principles apply to =20
Ruby too.

Hope this helps.

 

[Une Bévue]

Try with

puts file.tainted?
puts "/Users/yt/man/eruby.html".tainted?


man-receive.rbx run with '$SAFE = 1' and it's a security error to use
FileTest#exist? with a tainted object at this level

vgs% ruby -e 'name ="./ruby".taint; p FileTest.exist?(name)'
true
vgs%

vgs% ruby -e '$SAFE = 1; name ="./ruby".taint; p FileTest.exist?(name)'
-e:1:in `exist?': Insecure operation - exist? (SecurityError)
from -e:1
vgs%

OK, thanks !

 

[Une Bévue]

The examples are in Perl, but most of the same principles apply to
Ruby too.

Fine, thanks for the refs.

In the mean type i've added a regexp checker on input string which
verify that the string is only made up with a-zA-Z0-9 and '-' only.
I believe this is enough...
After that i untaint the search variable.