Asp Forum - something straange with cgi

unbewusst.sein

5/2/2008 3:52:00 PM

i have a cgi reading a post cgi['search']

the value is the name of file which might exists under "/path/to"

because i'm a newbie with cgi, i want to print only if the file exist or
not :

file="/Users/yt/man/#{cgi['search']}.html"
print "FileTest.exist?('#{file}') = " # here i get the right file name
print FileTest.exist?(file) # here i get Internal server error why ???

this is strange to me because if i print :

print FileTest.exist?("/Users/yt/man/eruby.html") #without variable

i get true, without internal server error...

even if i define :
def file_exist(file)
Dir.glob("/Users/yt/man/*.html").each do | _file |
return true if _file===file
end
return false
end

and print :

print file_exist(file) # NO Internal Server Error

any light ?

in the mean time i had a look upon the server error log, giving :
[Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
[Wed Apr 30 19:03:19 2008] [error] mod_ruby:
/Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure operation
- exist? (SecurityError)

the cgi isn't accessible externaly...
--
Une Bévue

4 Answers

ts

5/2/2008 4:08:00 PM

Une Bévue wrote:
> print FileTest.exist?("/Users/yt/man/eruby.html") #without variable

Try with

puts file.tainted?
puts "/Users/yt/man/eruby.html".tainted?

> /Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure operation
> - exist? (SecurityError)

man-receive.rbx run with '$SAFE = 1' and it's a security error to use
FileTest#exist? with a tainted object at this level

vgs% ruby -e 'name ="./ruby".taint; p FileTest.exist?(name)'
true
vgs%

vgs% ruby -e '$SAFE = 1; name ="./ruby".taint; p FileTest.exist?(name)'
-e:1:in `exist?': Insecure operation - exist? (SecurityError)
from -e:1
vgs%

Guy Decoux

Michael Granger

5/2/2008 11:44:00 PM

On May 2, 2008, at 8:55 AM, Une B=E9vue wrote:

> i have a cgi reading a post cgi['search']
>
> the value is the name of file which might exists under "/path/to"
>
> because i'm a newbie with cgi, i want to print only if the file =20
> exist or
> not :
>
> file=3D"/Users/yt/man/#{cgi['search']}.html"
> print "FileTest.exist?('#{file}') =3D " # here i get the right file =20=

> name
> print FileTest.exist?(file) # here i get Internal server error =20
> why ???
>
> this is strange to me because if i print :
>
> print FileTest.exist?("/Users/yt/man/eruby.html") #without variable
>
> i get true, without internal server error...
>
> even if i define :
> def file_exist(file)
> Dir.glob("/Users/yt/man/*.html").each do | _file |
> return true if _file=3D=3D=3Dfile
> end
> return false
> end
>
> and print :
>
> print file_exist(file) # NO Internal Server Error
>
> any light ?
>
> in the mean time i had a look upon the server error log, giving :
> [Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
> [Wed Apr 30 19:03:19 2008] [error] mod_ruby:
> /Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure =20
> operation
> - exist? (SecurityError)

You're running your CGI under mod_ruby, which runs under $SAFE =3D 1:

http://wiki.modruby.net/en/?FAQ#SecurityError....

This is done to protect you from using unsafe input from untrusted =20
sources in ways which might be dangerous, such as the one you =20
demonstrate above. Using an input parameter that a remote user can =20
modify in arbitrary ways in an operation that accesses the filesystem =20=

is usually a bad idea. For more see the WWW Security FAQ:

http://www.w3.org/Security/Faq/wwwsf4.ht...

The examples are in Perl, but most of the same principles apply to =20
Ruby too.

Hope this helps.
--
Michael Granger <ged@FaerieMUD.org>
Rubymage, Architect, Believer
The FaerieMUD Consortium <http://www.FaerieMU...

unbewusst.sein

5/3/2008 4:17:00 PM

ts <decoux@moulon.inra.fr> wrote:

> Try with
>
> puts file.tainted?
> puts "/Users/yt/man/eruby.html".tainted?
>
> > /Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure operation
> > - exist? (SecurityError)
>
> man-receive.rbx run with '$SAFE = 1' and it's a security error to use
> FileTest#exist? with a tainted object at this level
>
> vgs% ruby -e 'name ="./ruby".taint; p FileTest.exist?(name)'
> true
> vgs%
>
> vgs% ruby -e '$SAFE = 1; name ="./ruby".taint; p FileTest.exist?(name)'
> -e:1:in `exist?': Insecure operation - exist? (SecurityError)
> from -e:1
> vgs%

OK, thanks !
--
Une Bévue

unbewusst.sein

5/3/2008 4:30:00 PM

Michael Granger <ged@FaerieMUD.org> wrote:

> The examples are in Perl, but most of the same principles apply to
> Ruby too.

Fine, thanks for the refs.

In the mean type i've added a regexp checker on input string which
verify that the string is only made up with a-zA-Z0-9 and '-' only.
I believe this is enough...
After that i untaint the search variable.

--
Une Bévue

comp.lang.ruby

something straange with cgi

unbewusst.sein

ts

Michael Granger

unbewusst.sein

unbewusst.sein

x Login to ForumsZone