[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Insecure operation

rasfast

8/26/2008 5:04:00 PM

Hello!

I'm trying to make a CGI script which uses modules from Rails, and
I've got a "Security Error". I have read posts about taint/untaint,
but nothing helps. Could you advice something?

Details:
FreeBSD 6.3-STABLE
Rails 2.1.0
Ruby 1.8.6
Apache 2.2 + mod_ruby (for CGI) + latest Phusion Passenger + latest
Ruby Enterprise (for Rails)

Script:
require 'cgi'
require '../config/environment'
params = CGI::parse( ENV['QUERY_STRING'] ).each{ |key, el| {key =>
el.first} } #I don't know how to get GET vars in another way
seller = ContrSeller.find( :first, :conditions => { :id =>
params['seller_id'], :password => params['pass'] } ) #ContrSeller - is
an existing model

Error:
mod_ruby: error in ruby
mod_ruby: /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/
active_support/dependencies.rb:169:in `file?': Insecure operation -
file? (SecurityError)

I can put a full error output here, but it's not needed.
I have tried to untaint() params variable and its values, but no
success.
1 Answer

rasfast

8/27/2008 5:17:00 AM

0

On 26 ???, 21:04, rasf...@gmail.com wrote:
> I can put a full error output here, but it's not needed.

Here is a full error report:
mod_ruby: error in ruby
mod_ruby: /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/
active_support/dependencies.rb:169:in `file?': Insecure operation -
file? (SecurityError)
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:169:in `search_for_file'
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:167:in `each'
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:167:in `search_for_file'
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:258:in `load_missing_constant'
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:483:in `const_missing'
mod_ruby: from ./pcapi.rb:6:in `new_session'
mod_ruby: from /home/gs/data/www/pc.gorodskidok.com/api/api.rbx:43
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:502:in `load'
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:502:in `load'
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:354:in `new_constants_in'
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:502:in `load'
mod_ruby: from /usr/local/lib/ruby/site_ruby/1.8/apache/ruby-run.rb:
53:in `handler'


I have tried
$SAFE = 0
But it returns a error that security level cannot be downgraded