Eruby SAFE question


(Dylan Northrup) #1

I’m trying to implement a replacement for the standard apache file listings
by implementing an index.rbx. I’m running into a problem, though. I want
to print out a link to everything that is a .rbx file or a directory.
However, when I call File.directory?(x) I get a Security error. Here’s the
relevant code and error.

Dir.foreach(’.’) {|x|
next if x =~ /^.+$/
@stay = false
@dir_test = File.directory?(x)
@stay = true if @dir_test
@stay = true if x =~ /.rbx$/
next unless @stay
print "

  • <a href="#{x}">#{x}\n"
    }

    /home/northrup/web/test/index.rbx:17:in directory?': Insecure operation - directory? (SecurityError) from /home/northrup/web/test/index.rbx:17 from /home/northrup/web/test/index.rbx:14:inforeach’
    from /home/northrup/web/test/index.rbx:14
    from /usr/local/lib/ruby/site_ruby/1.6/apache/ruby-run.rb:70:in load' from /usr/local/lib/ruby/site_ruby/1.6/apache/ruby-run.rb:70:inhandler’
    from ruby:0

    I’ve tried doing ‘@dir_test.untaint’ and ‘@dir_test =
    File.directory?(x).untaint’ and neither works. I’m wondering what I’m doing
    wrong and how I can get the results I want. Relevant citations from the
    pickaxe would be appreciated.

    ···


    Dylan Northrup <> docx@io.com <> http://www.io.com/~docx/
    “Harder to work, harder to strive, hard to be glad to be alive, but it’s
    really worth it if you give it a try.” – Cowboy Mouth, ‘Easy’


  • (Sean Chittenden) #2

    I'm trying to implement a replacement for the standard apache file
    listings by implementing an index.rbx. I'm running into a problem,
    though. I want to print out a link to everything that is a .rbx
    file or a directory. However, when I call File.directory?(x) I get
    a Security error. Here's the relevant code and error.

    While it may seem frustrating, this is the correct, predictable, and
    secure thing to have happen. Read below for docbook reference:

    /home/northrup/web/test/index.rbx:17:in `directory?': Insecure operation - directory? (SecurityError)

    I've tried doing '@dir_test.untaint' and '@dir_test =
    File.directory?(x).untaint' and neither works. I'm wondering what
    I'm doing wrong and how I can get the results I want. Relevant
    citations from the pickaxe would be appreciated.

    If you were to bypass security, you'd want x.untaint. Don't do that
    though.

    http://www.rubydoc.org/book/ (bookmark this link)

    The following links are subject to change upon further builds of the
    document.

    http://www.rubydoc.org/book/c123.htm#AEN133
    http://www.rubydoc.org/book/c547.htm#R.DOCUMENT.ROOT

    -sc

    ···

    --
    Sean Chittenden


    (Tobi Reif) #3

    Sean Chittenden wrote:

    Read below for docbook reference:

    http://www.rubydoc.org/book/ (bookmark this link)

    I can’t find any DocBook files.

    What is the license for this book? GFDL might be a good candidate.

    Tobi

    ···


    http://www.pinkjuice.com/


    (Sean Chittenden) #4

    > Read below for docbook reference:
    >
    > http://www.rubydoc.org/book/ (bookmark this link)

    I can't find any DocBook files.

    There are actually a great number of files that make that up. I
    haven't setup a public anon CVS repo yet, but will shortly.

    What is the license for this book? GFDL might be a good candidate.

    Haven't gotten that far, I just wanted a less obscure place to stash
    my bits/FAQs/mod_ruby reference. I'm not a documentation license
    wizard so I don't know. Anything that has the 'G' in it reminds me of
    something to do with the GPL... OPL is what Dave Thomas and Andy are
    using, so I'll likely follow suit. Hard to say, I'm up for
    sanctioning. Until then, I think it just follows normal copyright
    laws. <:~) -sc

    ···

    --
    Sean Chittenden


    (Tobi Reif) #5

    Sean Chittenden wrote:

    I’m not a documentation license
    wizard so I don’t know. Anything that has the ‘G’ in it reminds me of
    something to do with the GPL…

    Which is great in the eyes of many :slight_smile:

    OPL is what Dave Thomas and Andy are
    using, so I’ll likely follow suit.

    I suggest reading both or more licenses, then choose the one that fits
    your needs.

    Tobi

    ···


    http://www.pinkjuice.com/


    (Dave Thomas) #6

    Tobias Reif tobiasreif@pinkjuice.com writes:

    OPL is what Dave Thomas and Andy are
    using, so I’ll likely follow suit.

    I suggest reading both or more licenses, then choose the one that fits
    your needs.

    And if you use the OPL, I strongly suggest exercising options 1 and 2,
    to prevent the loss of copyright that happened to us. I don’t know
    what the GNU version would have done in these circumstances.

    Dave


    (Tobi Reif) #7

    Dave Thomas wrote:

    Tobias Reif tobiasreif@pinkjuice.com writes:

    OPL is what Dave Thomas and Andy are
    using, so I’ll likely follow suit.

    I suggest reading both or more licenses, then choose the one that fits
    your needs.

    And if you use the OPL, I strongly suggest exercising options 1 and 2,
    to prevent the loss of copyright that happened to us. I don’t know
    what the GNU version would have done in these circumstances.

    Boy, I had to close my mouth after long seconds; loss of copyright?

    Dave, could you shortly explain what happened, and how to prevent it?
    I’m sure that would be appreciated by many here, who are also making
    decisions about licenses.

    GFDL [1] says "Preserve all the copyright notices of the Document."
    Here’s a short note about why to use the GFDL [2].

    http://www.rubycentral.com/book/
    says
    "Copyright © 2001 by Addison Wesley Longman, Inc."

    Shouldn’t that be “© 2001 Dave Thomas Andy Hunt”?

    http://www.opencontent.org/openpub/

    With options 1 and 2, are you refering to

    "A. To prohibit distribution of substantively modified versions without
    the explicit permission of the author(s). “Substantive modification” is
    defined as a change to the semantic content of the document, and
    excludes mere changes in format or typographical corrections.

    To accomplish this, add the phrase `Distribution of substantively
    modified versions of this document is prohibited without the explicit
    permission of the copyright holder.’ to the license reference or copy.

    B. To prohibit any publication of this work or derivative works in whole
    or in part in standard (paper) book form for commercial purposes is
    prohibited unless prior permission is obtained from the copyright holder.

    To accomplish this, add the phrase ‘Distribution of the work or
    derivative of the work in any standard (paper) book form is prohibited
    unless prior permission is obtained from the copyright holder.’ to the
    license reference or copy."

    ?

    TIA,

    Tobi

    [1] http://www.gnu.org/copyleft/fdl.html
    [2] http://www.gnu.org/philosophy/why-gfdl.html

    ···


    http://www.pinkjuice.com/


    (Dave Thomas) #8

    Tobias Reif tobiasreif@pinkjuice.com writes:

    Dave, could you shortly explain what happened, and how to prevent it?
    I’m sure that would be appreciated by many here, who are also making
    decisions about licenses.

    I don’t know if there is a way to prevent it, What happened is that
    someone in Germany translated the book and decided that they now owned
    the copyright to all the content (including, interestingly, all the
    figures and code). As the new copyright holder, they then felt free to
    change the license under which the work was released (because all
    these schemes enforce the license through copyright).

    The best opinions I have say that this is a breach of
    copyright. However, I’m also told that had we included option (1) of
    the OPL we’d have a clearer case.

    http://www.rubycentral.com/book/
    says
    "Copyright © 2001 by Addison Wesley Longman, Inc."

    Shouldn’t that be “© 2001 Dave Thomas Andy Hunt”?

    No - Addison Wesley own the copyright.

    With options 1 and 2, are you refering to …

    Yes.

    Basically, the entire Open Source thing is based on trust. When that
    trust is breached, the options open to individuals are pretty
    limited. I don’t know yet what action Addison Wesley will be taking in
    this case, but I do know that personally there’s little that Andy or I
    could do apart from express disappointment.

    However, please don’t let this put anyone off releasing stuff under an
    Open Source license. You’re doing the community a world of good. Just
    understand the limitations of the license from a pragmatic
    perspective.

    Cheers

    Dave


    (David Alan Black) #9

    Hi –

    GFDL [1] says “Preserve all the copyright notices of the Document.”

    I’m not sure this would have impressed Mr. Katins, who does not seem
    to have much regard for the “preserve this notice” category of license
    requirements.

    I base this view on the fact that Katins’s translation does not
    include the following notice, which the OPL stipulates must be
    included with translations:

    Copyright © by <author’s name or designee>. This material
    may be distributed only subject to the terms and conditions set
    forth in the Open Publication License, vX.Y or later (the latest
    version is presently available at
    http://www.opencontent.org/openpub/).

    The OPL thus anticipates the case of translations, but through a
    "preserve this notice" mechanism which Katins evidently found
    cumbersome and therefore chose to ignore.

    David

    ···

    On Mon, 1 Jul 2002, Tobias Reif wrote:


    David Alan Black
    home: dblack@candle.superlink.net
    work: blackdav@shu.edu
    Web: http://pirate.shu.edu/~blackdav


    (Tobi Reif) #10

    Dave Thomas wrote:

    I don’t know if there is a way to prevent it, What happened is that
    someone in Germany translated the book and decided that they now owned
    the copyright to all the content

    This most definitely is highly illegal, from what I know.

    As the new copyright holder, they then felt free to
    change the license under which the work was released

    This is truly outrageous.

    The best opinions I have say that this is a breach of
    copyright. However, I’m also told that had we included option (1) of
    the OPL we’d have a clearer case.

    1. I’m pretty sure you already have a real case.
    2. They clearly knowingly sabotaged a system of goodwill and stole
      your works that you gave to the community.

    Basically, the entire Open Source thing is based on trust. When that
    trust is breached, the options open to individuals are pretty
    limited.

    I’m not sure, but would the FSF fight for users of the GFDL whose works
    have been stolen? If so, then this would make the GFDL an even better
    choice.

    I don’t know yet what action Addison Wesley will be taking in
    this case, but I do know that personally there’s little that Andy or I
    could do apart from express disappointment.

    My feelings are with you.

    I suggest to all to boycott this translation of the PickAxe.

    Tobi

    ···


    http://www.pinkjuice.com/


    (James) #11

    I don’t know if there is a way to prevent it, What happened is that
    someone in Germany translated the book and decided that they now owned
    the copyright to all the content (including, interestingly, all the
    figures and code). As the new copyright holder, they then felt free to
    change the license under which the work was released (because all
    these schemes enforce the license through copyright).

    The main page of the translation has this line:

    Copyright des englischen Originals © 2000 Addison Wesley Longman, Inc.
    Released under the terms of the Open Publication License V1.0. That
    reference is available for download. "

    This is followed by:

    Copyright der deutschen Übersetzung © 2002 Jürgen Katins
    Permission is granted to copy, distribute and/or modify this document under
    the terms of the GNU Free Documentation License, Version 1.1 or any later
    version published by the Free Software Foundation; with no Invariant
    Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy
    of the license is included in the section entitled “GNU Free Documentation
    License”.

    I gather there is nothing to stop anybody from translating the English
    version into German again, with copyright assigned to Addison Wesley
    Longman, or Dave & Andy. The version might end up being remarkably similar
    to Herr Katins’ version, but, after all, this is essentially technical
    writing, not high-art literature, so similarities are inevitable. (That’s
    not to say the book does not have literary qualities in addition to its
    technical merits!)

    BTW, who owns the copyright on the familiar pictures found here?
    http://home.vr-web.de/juergen.katins/ruby/index.html

    Or are they translations, too?

    James


    (Juergen Katins) #12

    Tobias Reif wrote:

    I suggest to all to boycott this translation of the PickAxe.

    Thank you for your appreciation of my work. I have spent a lot of
    time and some money to complete this translation. If this is the
    estimation for it I should advise anybody not to make any effort in
    free software.
    Use it but for heavens sake don’t work for it!

    Tobias Reif wrote:

    Dave Thomas wrote:

    I don’t know if there is a way to prevent it, What happened is that
    someone in Germany translated the book and decided that they now owned
    the copyright to all the content

    This most definitely is highly illegal, from what I know.

    This is absolutely legal. Think of other free books like those written by
    Horaz, Platon, Edgar Alan Poe. Nobody would ever take the trouble to
    translate them if he doesn’t get the protection of copyright.

    james@rubyxml.com wrote:

    I gather there is nothing to stop anybody from translating the English
    version into German again, …

    Nothing but the amount of work.

    David Alan Black wrote:

    I base this view on the fact that Katins’s translation does not
    include the following notice, which the OPL stipulates must be
    included with translations:

    Copyright © by <author’s name or designee>. This material
    may be distributed only subject to the terms and conditions set
    forth in the Open Publication License, vX.Y or later (the latest
    version is presently available at
    http://www.opencontent.org/openpub/).

    Ooops, I only copied the copyright notice that I found:
    "Extracted from the book "Programming Ruby - The Pragmatic Programmer’s
    Guide"
    Copyright © 2000 Addison Wesley Longman, Inc. Released under the terms of
    the Open Publication License V1.0.
    This reference is available for download. "

    Tobias Reif wrote:

    They clearly knowingly sabotaged a system of goodwill and stole
    your works that you gave to the community.

    I am tired of all this lamentations about “He has stolen your work…”,
    “The book is owned by …”

    My considered opinion on free software / free publications is:

    1. If you publish a free book it is just as Tobias says: you give it
      to the community. With it you loose your grip on it, you give away your
      rights (apart from personal rights like protection against disfiguration or
      incorrect citation). Nobody can steal something which is already given
      away.

    2. If there is any owner at all it is the one maintaining the project/book,
      the one who is working to improve the quality and usability.
      Maintainance of a free online book could look like this:
      Missing paragraphs could be included, figures could be made available,
      page references could be made real working references instead of numbers
      pointing to pages not existing, and the omitted index
      could be included again.
      A free online book should not be the crippled version of the printed book.
      A free book should be more than the mere appetizer for the book’s printed
      version.


    (Pit) #13

    Which I’m doing actually until this dispute has been settled. I think
    it should be possible to come to a mutual agreement that respects
    the work of both the original authors and the translator.

    Regards,
    Pit

    ···

    On 1 Jul 2002, at 6:09, Tobias Reif wrote:

    I suggest to all to boycott this translation of the PickAxe.


    (Josh Huber) #14

    Tobias Reif tobiasreif@pinkjuice.com writes:

    I’m not sure, but would the FSF fight for users of the GFDL whose
    works have been stolen? If so, then this would make the GFDL an even
    better choice.

    No, they would not. Only the copyright holder (at least in the US)
    can enforce copyright.

    This is why the FSF requires all official GNU project contributers to
    assign the copyright of their work on said project to the FSF.

    ttyl,

    ···


    Josh Huber


    (Tobi Reif) #15

    Juergen Katins wrote:

    Thank you for your appreciation of my work. I have spent a lot of
    time and some money to complete this translation.

    Just as Dave and Andi worked hard on the original book.

    Please don’t take my previous rant personally; but please do contact the
    original authors and work out an agreement.

    Tobi

    ···


    http://www.pinkjuice.com/


    (Tobi Reif) #16

    Juergen Katins,

    I am tired of all this lamentations about “He has stolen your work…”

    How exactly do you justify
    taking the copyright
    and
    changing the license
    without first asking the copyright holders or the original authors for
    permission?

    I’m sure a detailed explanation could clear things up, and might be a
    step towards an agreement.

    Tobi

    ···


    http://www.pinkjuice.com/


    (David Alan Black) #17

    That has nothing to do with my point, which was that the OPL
    propagates itself to translations through a mechanism which you have
    ignored.

    David

    ···

    On Mon, 1 Jul 2002, Juergen Katins wrote:

    David Alan Black wrote:

    I base this view on the fact that Katins’s translation does not
    include the following notice, which the OPL stipulates must be
    included with translations:

    Copyright © by <author’s name or designee>. This material
    may be distributed only subject to the terms and conditions set
    forth in the Open Publication License, vX.Y or later (the latest
    version is presently available at
    http://www.opencontent.org/openpub/).

    Ooops, I only copied the copyright notice that I found:
    "Extracted from the book "Programming Ruby - The Pragmatic Programmer’s
    Guide"
    Copyright © 2000 Addison Wesley Longman, Inc. Released under the terms of
    the Open Publication License V1.0.
    This reference is available for download. "


    David Alan Black
    home: dblack@candle.superlink.net
    work: blackdav@shu.edu
    Web: http://pirate.shu.edu/~blackdav


    (Massimiliano Mirra) #18

    It’s not given away: it’s shared with those who accept a certain set
    of rules called license. What you’re speaking of is public domain and
    is an entirely different matter.

    Open'',proprietary’’ or ``free’’ make no difference, when there
    is a license the pattern is the same: follow the rules and you can use
    it; don’t, and you can’t.

    Massimiliano

    ···

    On Mon, Jul 01, 2002 at 05:49:29PM +0900, Juergen Katins wrote:

    1. If you publish a free book it is just as Tobias says: you give it
      to the community. With it you loose your grip on it, you give away your
      rights (apart from personal rights like protection against disfiguration or
      incorrect citation). Nobody can steal something which is already given
      away.

    (Daniel) #19

    Hi,

    In an attempt to do bracket matching in Ruby, I added let loaded_matchit =
    1 in my .vimrc file. This didn’t seem to have the desired effect. Any
    pointers on this are appriciated.

    db


    (Tobi Reif) #20

    Josh Huber wrote:

    Tobias Reif tobiasreif@pinkjuice.com writes:

    I’m not sure, but would the FSF fight for users of the GFDL whose
    works have been stolen? If so, then this would make the GFDL an even
    better choice.

    No, they would not.

    I found out that they say they would.

    Only the copyright holder (at least in the US)
    can enforce copyright.

    Well sure; and then they would help the copyright holder.

    This is why the FSF requires all official GNU project contributers to
    assign the copyright of their work on said project to the FSF.

    This is irrelevant, because it is not a requirement for getting support.

    They will help, and it is not required that they are the copyright holders:

    http://www.gnu.org/licenses/gpl-violation.html

    "Note that the GPL, and other copyleft licenses, are copyright licenses.
    This means that only the copyright holders are empowered to act against
    violations. The FSF acts on all GPL violations reported on FSF
    copyrighted code,

    and we offer assistance to any other copyright holder who wishes to do
    the same.

    But, we cannot act on our own if we do not hold copyright. Thus, be sure
    to find out who the copyright holders of the software are before
    reporting a violation."

    Tobi

    ···


    http://www.pinkjuice.com/