Professional Web Applications Themes

eval and mod_ruby/eRuby - Ruby

Using mod_ruby, ruby 1.8.1, eRuby and Apache2: <% require 'cgi' puts "$SAFE is #{$SAFE}",'<br>' cgi = CGI.new code = cgi['code'] puts "code is '#{code}'",'<br>' puts "code.tainted? is #{code.tainted?}",'<br>' code.untaint puts "code.tainted? is #{code.tainted?}",'<br>' #puts eval(code) %> PRODUCES $SAFE is 1 code is 'puts "Hello z"' code.tainted? is false code.tainted? is false But if I uncomment the last line the error in my apache log is: [Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby /Users/gavinkistner/Sites/rubyeval.rhtml:10:in `eval': Insecure operation - eval (SecurityError) from /Users/gavinkistner/Sites/rubyeval.rhtml:10 from (eval):115 from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `eval_string_wrap' from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `run' from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:in `handler' I *know* it's dangerous. This ...

  1. #1

    Default eval and mod_ruby/eRuby

    Using mod_ruby, ruby 1.8.1, eRuby and Apache2:

    <%
    require 'cgi'

    puts "$SAFE is #{$SAFE}",'<br>'

    cgi = CGI.new
    code = cgi['code']
    puts "code is '#{code}'",'<br>'
    puts "code.tainted? is #{code.tainted?}",'<br>'
    code.untaint
    puts "code.tainted? is #{code.tainted?}",'<br>'

    #puts eval(code)
    %>

    PRODUCES

    $SAFE is 1
    code is 'puts "Hello z"'
    code.tainted? is false
    code.tainted? is false


    But if I uncomment the last line the error in my apache log is:

    [Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby
    /Users/gavinkistner/Sites/rubyeval.rhtml:10:in `eval': Insecure
    operation - eval (SecurityError)
    from /Users/gavinkistner/Sites/rubyeval.rhtml:10
    from (eval):115
    from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `eval_string_wrap'
    from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in `run'
    from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:in `handler'


    I *know* it's dangerous. This is on a private, protected machine for my
    own personal use. How can I allow eval() to run under eRuby/mod_ruby?


    --
    (-, /\ \/ / /\/
    Gavin Guest

  2. #2

    Default Re: eval and mod_ruby/eRuby

    > I *know* it's dangerous. This is on a private, protected machine for 

    You need access to the httpd.conf, so it won't fly on a shared server,
    but:

    <IfModule mod_ruby.c>
    # other settings
    RubySafeLevel 0
    </IfModule>

    This removes all the tainted security. So beware...
    --
    David Heinemeier Hansson,
    http://www.basecamphq.com/ -- Web-based Project Management
    http://www.loudthinking.com/ -- Broadcasting Brain



    David Guest

  3. #3

    Default Re: eval and mod_ruby/eRuby

    David Heinemeier Hansson wrote: 

    While I appreciate that this will work, I don't understand why it's
    necessary.

    According to:
    http://phrogz.net/ProgrammingRuby/frameset.asp?content=taint.asp%23safelevels

    $SAFE>=1 : [...] Can't eval tainted strings.

    As noted, the string involved isn't tainted. (And even if it had been,
    the call to #untaint would have untainted it, since it's not until
    $SAFE>=3 that things can't be untainted.)

    So...why is mod_ruby borking? Does it somehow impose different rules on
    what $SAFE means?
    --
    (-, /\ \/ / /\/
    Gavin Guest

Similar Threads

  1. latest mod_ruby and eruby ..
    By Useko Netsumi in forum Ruby
    Replies: 0
    Last Post: October 16th, 12:44 AM
  2. eruby & mod_ruby under windows
    By Useko Netsumi in forum Ruby
    Replies: 0
    Last Post: September 15th, 12:06 AM
  3. my mod_ruby doesn't like my eruby
    By Daniel Cremer in forum Ruby
    Replies: 6
    Last Post: September 14th, 09:27 PM
  4. Replies: 4
    Last Post: September 1st, 07:29 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139