Dmitry Borodaenko
11/10/2003 10:44:00 AM
On Thu, Nov 06, 2003 at 02:25:06AM +0900, Dmitry Borodaenko wrote:
> On Thu, Nov 06, 2003 at 12:55:15AM +0900, Minero Aoki wrote:
> > > > > response = Net::HTTP.get_response(URI.parse(uri.untaint))
> > > /usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize': Insecure operation - initialize (SecurityError)
> > It is an error raised on $SAFE=3 or higher.
> > Please check RubySafeLevel parameter written in httpd.conf / .htaccess.
> This parameter is not set in Apache configs, `$stderr << $SAFE` prints 1.
I've locked this down to Regexp#=~ under CGI, not necessarily under
mod_ruby, and only when I use my own Session#params() method I mentioned
elsewhere on this list. Here is a test to repeat this:
require 'cgi'
def params(cgi, keys)
keys.collect do |key|
value = cgi[key]
(value =~ /[^\s]/)? value : nil # =~ does something evil?
end
end
cgi = CGI.new
cgi.out() do
test, = params cgi, ['test'] # <---
#test, = cgi['test']
test.untaint
test =~ /(.)/
result = $1.tainted?
result.to_s
end
If you replace the line marked with arrow with the commented line that
follows, result changes from true to false.
Can anyone explain this?
--
Dmitry Borodaenko