Eval and mod_ruby/eRuby

Using mod_ruby, ruby 1.8.1, eRuby and Apache2:

<%
require ‘cgi’

puts “$SAFE is #{$SAFE}”,’
’

cgi = CGI.new
code = cgi[‘code’]
puts “code is ‘#{code}’”,’
‘
puts “code.tainted? is #{code.tainted?}”,’
‘
code.untaint
puts “code.tainted? is #{code.tainted?}”,’
’

#puts eval(code)
%>

PRODUCES

$SAFE is 1
code is 'puts “Hello z”'
code.tainted? is false
code.tainted? is false

But if I uncomment the last line the error in my apache log is:

[Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby
/Users/gavinkistner/Sites/rubyeval.rhtml:10:in eval': Insecure operation - eval (SecurityError) from /Users/gavinkistner/Sites/rubyeval.rhtml:10 from (eval):115 from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:ineval_string_wrap’
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in run' from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:inhandler’

I know it’s dangerous. This is on a private, protected machine for my
own personal use. How can I allow eval() to run under eRuby/mod_ruby?

I know it’s dangerous. This is on a private, protected machine for
my own personal use. How can I allow eval() to run under
eRuby/mod_ruby?

You need access to the httpd.conf, so it won’t fly on a shared server,
but:

This removes all the tainted security. So beware…

David Heinemeier Hansson wrote:

# other settings RubySafeLevel 0

This removes all the tainted security. So beware…

While I appreciate that this will work, I don’t understand why it’s
necessary.

According to:
http://phrogz.net/ProgrammingRuby/frameset.asp?content=taint.asp%23safelevels

$SAFE>=1 : […] Can’t eval tainted strings.

As noted, the string involved isn’t tainted. (And even if it had been,
the call to #untaint would have untainted it, since it’s not until
$SAFE>=3 that things can’t be untainted.)

So…why is mod_ruby borking? Does it somehow impose different rules on
what $SAFE means?