Using mod_ruby, ruby 1.8.1, eRuby and Apache2:
<%
require ‘cgi’
puts “$SAFE is #{$SAFE}”,’
’
cgi = CGI.new
code = cgi[‘code’]
puts “code is ‘#{code}’”,’
‘
puts “code.tainted? is #{code.tainted?}”,’
‘
code.untaint
puts “code.tainted? is #{code.tainted?}”,’
’
#puts eval(code)
%>
PRODUCES
$SAFE is 1
code is 'puts “Hello z”'
code.tainted? is false
code.tainted? is false
But if I uncomment the last line the error in my apache log is:
[Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby
/Users/gavinkistner/Sites/rubyeval.rhtml:10:in eval': Insecure operation - eval (SecurityError) from /Users/gavinkistner/Sites/rubyeval.rhtml:10 from (eval):115 from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in
eval_string_wrap’
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in run' from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:in
handler’
I know it’s dangerous. This is on a private, protected machine for my
own personal use. How can I allow eval() to run under eRuby/mod_ruby?
···
–
(-, /\ / / //