rasfast
8/26/2008 5:04:00 PM
Hello!
I'm trying to make a CGI script which uses modules from Rails, and
I've got a "Security Error". I have read posts about taint/untaint,
but nothing helps. Could you advice something?
Details:
FreeBSD 6.3-STABLE
Rails 2.1.0
Ruby 1.8.6
Apache 2.2 + mod_ruby (for CGI) + latest Phusion Passenger + latest
Ruby Enterprise (for Rails)
Script:
require 'cgi'
require '../config/environment'
params = CGI::parse( ENV['QUERY_STRING'] ).each{ |key, el| {key =>
el.first} } #I don't know how to get GET vars in another way
seller = ContrSeller.find( :first, :conditions => { :id =>
params['seller_id'], :password => params['pass'] } ) #ContrSeller - is
an existing model
Error:
mod_ruby: error in ruby
mod_ruby: /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/
active_support/dependencies.rb:169:in `file?': Insecure operation -
file? (SecurityError)
I can put a full error output here, but it's not needed.
I have tried to untaint() params variable and its values, but no
success.