Asp Forum - Opening Net::HTTP from mod_ruby script

Dmitry Borodaenko

11/3/2003 7:58:00 PM

Did anyone try that? While implementing Pingback client[1], I've stuck
with a SecurityError exception, even though I've untainted the uri that
I'm feeding to Net::HTTP:

content =~ URI::REGEXP::ABS_URI or raise UserError,
"text/uri-list should contain at least one absolute URI"
uri, scheme = $&, $1
throw :fail unless scheme =~ /^http/
response = Net::HTTP.get_response(URI.parse(uri.untaint))

Does Net::HTTP pick something tainted from the environment that I'm not
aware of?

[1] http://www.hixie.ch/specs/pingbac...

--
Dmitry Borodaenko

5 Answers

Minero Aoki

11/4/2003 8:31:00 AM

Dmitry Borodaenko

11/5/2003 3:27:00 PM

On Tue, Nov 04, 2003 at 05:30:31PM +0900, Minero Aoki wrote:
> > content =~ URI::REGEXP::ABS_URI or raise UserError,
> > "text/uri-list should contain at least one absolute URI"
> > uri, scheme = $&, $1
> > throw :fail unless scheme =~ /^http/
> > response = Net::HTTP.get_response(URI.parse(uri.untaint))
> I could not reproduce the error.
> Could you show me exact error message?

/usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize': Insecure operation - initialize (SecurityError)
from /usr/lib/ruby/1.8/net/protocol.rb:83:in `new'
from /usr/lib/ruby/1.8/net/protocol.rb:83:in `connect'
from /usr/lib/ruby/1.8/net/protocol.rb:82:in `timeout'
from /usr/lib/ruby/1.8/timeout.rb:55:in `timeout'
from /usr/lib/ruby/1.8/net/protocol.rb:82:in `connect'
from /usr/lib/ruby/1.8/net/protocol.rb:64:in `initialize'
from /usr/lib/ruby/1.8/net/http.rb:429:in `open'
from /usr/lib/ruby/1.8/net/http.rb:429:in `do_start'
... 6 levels...
from /var/www/samizdat/message.rb:17:in `out'
from /var/www/samizdat/message.rb:17
from /usr/lib/ruby/1.8/apache/ruby-run.rb:70:in `load'
from /usr/lib/ruby/1.8/apache/ruby-run.rb:70:in `handler'

Apache/1.3.28 (Debian GNU/Linux) mod_ruby/1.0.7 Ruby/1.8.0

Hope that is enough, I don't know how to get a full call stack, without
skipping those "6 levels".

--
Dmitry Borodaenko

Minero Aoki

11/5/2003 3:55:00 PM

Dmitry Borodaenko

11/5/2003 5:25:00 PM

On Thu, Nov 06, 2003 at 12:55:15AM +0900, Minero Aoki wrote:
> > > > response = Net::HTTP.get_response(URI.parse(uri.untaint))
> > /usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize': Insecure operation - initialize (SecurityError)
> It is an error raised on $SAFE=3 or higher.
> Please check RubySafeLevel parameter written in httpd.conf / .htaccess.

This parameter is not set in Apache configs, `$stderr << $SAFE` prints 1.

--
Dmitry Borodaenko

Dmitry Borodaenko

11/10/2003 10:44:00 AM

On Thu, Nov 06, 2003 at 02:25:06AM +0900, Dmitry Borodaenko wrote:
> On Thu, Nov 06, 2003 at 12:55:15AM +0900, Minero Aoki wrote:
> > > > > response = Net::HTTP.get_response(URI.parse(uri.untaint))
> > > /usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize': Insecure operation - initialize (SecurityError)
> > It is an error raised on $SAFE=3 or higher.
> > Please check RubySafeLevel parameter written in httpd.conf / .htaccess.
> This parameter is not set in Apache configs, `$stderr << $SAFE` prints 1.

I've locked this down to Regexp#=~ under CGI, not necessarily under
mod_ruby, and only when I use my own Session#params() method I mentioned
elsewhere on this list. Here is a test to repeat this:

require 'cgi'

def params(cgi, keys)
keys.collect do |key|
value = cgi[key]
(value =~ /[^\s]/)? value : nil # =~ does something evil?
end
end

cgi = CGI.new
cgi.out() do
test, = params cgi, ['test'] # <---
#test, = cgi['test']
test.untaint
test =~ /(.)/
result = $1.tainted?
result.to_s
end

If you replace the line marked with arrow with the commented line that
follows, result changes from true to false.

Can anyone explain this?

--
Dmitry Borodaenko

comp.lang.ruby

Opening Net::HTTP from mod_ruby script

Dmitry Borodaenko

Minero Aoki

Dmitry Borodaenko

Minero Aoki

Dmitry Borodaenko

Dmitry Borodaenko

x Login to ForumsZone